From no-reply at appveyor.com Fri Apr 1 00:05:10 2016 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 01 Apr 2016 00:05:10 +0000 Subject: [openssl-commits] Build failed: openssl master.2495 Message-ID: <20160401000509.11066.69139.54780AC1@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Fri Apr 1 00:37:41 2016 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 01 Apr 2016 00:37:41 +0000 Subject: [openssl-commits] Build failed: openssl master.2496 Message-ID: <20160401003739.35146.18512.9C09E6D0@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Fri Apr 1 01:09:34 2016 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 01 Apr 2016 01:09:34 +0000 Subject: [openssl-commits] Build failed: openssl master.2497 Message-ID: <20160401010934.18456.42355.6B8258BF@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Fri Apr 1 01:40:11 2016 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 01 Apr 2016 01:40:11 +0000 Subject: [openssl-commits] Build failed: openssl master.2498 Message-ID: <20160401014009.40494.39114.5B33B506@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Fri Apr 1 02:13:23 2016 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 01 Apr 2016 02:13:23 +0000 Subject: [openssl-commits] Build failed: openssl master.2499 Message-ID: <20160401021321.40494.39329.5733F397@appveyor.com> An HTML attachment was scrubbed... URL: From levitte at openssl.org Fri Apr 1 05:24:15 2016 From: levitte at openssl.org (Richard Levitte) Date: Fri, 01 Apr 2016 05:24:15 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459488255.774349.31743.nullmailer@dev.openssl.org> The branch master has been updated via 5902821d81ced5e7c5db972e4b569848500940f7 (commit) from 475965f2ef8eaeb67f065a7eabd3a781da76305b (commit) - Log ----------------------------------------------------------------- commit 5902821d81ced5e7c5db972e4b569848500940f7 Author: Richard Levitte Date: Thu Mar 31 09:27:15 2016 +0200 Make the use of perl more consistent - In Configure, register the perl interpreter used to run Configure, so that's the one being used throughout instead of something else that Configure happens to find. This is helpful for using a perl version that's not necessarely first in $PATH: /opt/perl/5.22.1/bin/perl ./Configure - Make apps/tsget a generated file, just like apps/CA.pl, so the perl interpreter registered by Configure becomes the hashbang path instead of a hardcoded /usr/bin/perl Reviewed-by: Andy Polyakov ----------------------------------------------------------------------- Summary of changes: Configurations/unix-Makefile.tmpl | 2 +- Configure | 2 +- apps/build.info | 3 ++- apps/{tsget => tsget.in} | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) rename apps/{tsget => tsget.in} (99%) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 67b13fa..bd02b8c 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -89,7 +89,7 @@ GENERATED={- join(" ", map { (my $x = $_) =~ s|\.S$|\.s|; $x } keys %{$unified_i BIN_SCRIPTS=$(BLDDIR)/tools/c_rehash MISC_SCRIPTS=$(SRCDIR)/tools/c_hash $(SRCDIR)/tools/c_info \ $(SRCDIR)/tools/c_issuer $(SRCDIR)/tools/c_name \ - $(BLDDIR)/apps/CA.pl $(SRCDIR)/apps/tsget + $(BLDDIR)/apps/CA.pl $(BDLDIR)/apps/tsget SHLIB_INFO={- join(" ", map { "\"".shlib($_).";".shlib_simple($_)."\"" } @{$unified_info{libraries}}) -} diff --git a/Configure b/Configure index 34db142..1caba71 100755 --- a/Configure +++ b/Configure @@ -875,7 +875,7 @@ $config{cross_compile_prefix} = $ENV{'CROSS_COMPILE'} if $config{cross_compile_prefix} eq ""; # Allow overriding the names of some tools. USE WITH CARE -$config{perl} = $ENV{'PERL'} || which("perl5") || which("perl") || "perl"; +$config{perl} = $ENV{'PERL'} || ($^O ne "VMS" ? $^X : "perl"); $target{cc} = $ENV{'CC'} || $target{cc} || "cc"; $target{ranlib} = $ENV{'RANLIB'} || $target{ranlib} || which("ranlib") || "true"; $target{ar} = $ENV{'AR'} || $target{ar} || "ar"; diff --git a/apps/build.info b/apps/build.info index d581aad..d8ad197 100644 --- a/apps/build.info +++ b/apps/build.info @@ -14,5 +14,6 @@ SOURCE[openssl]=\ INCLUDE[openssl]={- rel2abs(catdir($builddir,"../include")) -} .. ../include DEPEND[openssl]=../libssl -SCRIPTS=CA.pl +SCRIPTS=CA.pl tsget SOURCE[CA.pl]=CA.pl.in +SOURCE[tsget]=tsget.in diff --git a/apps/tsget b/apps/tsget.in similarity index 99% rename from apps/tsget rename to apps/tsget.in index da900d9..fe029f3 100644 --- a/apps/tsget +++ b/apps/tsget.in @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!{- $config{perl} -} # Written by Zoltan Glozik . # Copyright (c) 2002 The OpenTSA Project. All rights reserved. $::version = '$Id: tsget,v 1.3 2009/09/07 17:57:18 steve Exp $'; From builds at travis-ci.org Fri Apr 1 05:43:31 2016 From: builds at travis-ci.org (Travis CI) Date: Fri, 01 Apr 2016 05:43:31 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3182 (master - 5902821) In-Reply-To: Message-ID: <56fe0a82ea44c_33fc12a991288115672a@417d1195-d869-4c9c-a65b-0611786f2d28.mail> Build Update for openssl/openssl ------------------------------------- Build: #3182 Status: Still Failing Duration: 18 minutes and 49 seconds Commit: 5902821 (master) Author: Richard Levitte Message: Make the use of perl more consistent - In Configure, register the perl interpreter used to run Configure, so that's the one being used throughout instead of something else that Configure happens to find. This is helpful for using a perl version that's not necessarely first in $PATH: /opt/perl/5.22.1/bin/perl ./Configure - Make apps/tsget a generated file, just like apps/CA.pl, so the perl interpreter registered by Configure becomes the hashbang path instead of a hardcoded /usr/bin/perl Reviewed-by: Andy Polyakov View the changeset: https://github.com/openssl/openssl/compare/475965f2ef8e...5902821d81ce View the full build log and details: https://travis-ci.org/openssl/openssl/builds/119989317 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Fri Apr 1 05:56:46 2016 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 01 Apr 2016 05:56:46 +0000 Subject: [openssl-commits] Build failed: openssl master.2500 Message-ID: <20160401055644.60111.94192.C0A9B44E@appveyor.com> An HTML attachment was scrubbed... URL: From levitte at openssl.org Fri Apr 1 14:24:26 2016 From: levitte at openssl.org (Richard Levitte) Date: Fri, 01 Apr 2016 14:24:26 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459520666.435308.11036.nullmailer@dev.openssl.org> The branch master has been updated via 368058d0a79d2e3b853746b09ca86679a86ac233 (commit) from 5902821d81ced5e7c5db972e4b569848500940f7 (commit) - Log ----------------------------------------------------------------- commit 368058d0a79d2e3b853746b09ca86679a86ac233 Author: Richard Levitte Date: Fri Apr 1 12:36:51 2016 +0200 Force argv to be an array of long pointers on VMS Reverts commit 087ca80ad83071dde0bb6bc1c28c743caa00eaf8 Instead of battling the odd format of argv given to main() in default P64 mode, tell the compiler to make it an array of 64-bit pointers when compiling in P64 mode. A note is added in NOTES.VMS regarding minimum DEC C version. Reviewed-by: Andy Polyakov ----------------------------------------------------------------------- Summary of changes: Configurations/10-main.conf | 4 ++-- NOTES.VMS | 5 +++-- apps/apps.h | 15 ++++++--------- apps/openssl.c | 17 +++++++---------- apps/vms_decc_init.c | 2 +- 5 files changed, 19 insertions(+), 24 deletions(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index 11ff13e..1b32b10 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -1763,7 +1763,7 @@ sub vms_info { "vms-alpha-p64" => { inherit_from => [ "vms-alpha" ], cflags => - add("/POINTER_SIZE=64", + add("/POINTER_SIZE=64=ARGV", sub { my @warnings = @{vms_info()->{disable_warns_p64}}; @warnings @@ -1796,7 +1796,7 @@ sub vms_info { "vms-ia64-p64" => { inherit_from => [ "vms-ia64" ], cflags => - add("/POINTER_SIZE=64", + add("/POINTER_SIZE=64=ARGV", sub { my @warnings = @{vms_info()->{disable_warns_p64}}; @warnings diff --git a/NOTES.VMS b/NOTES.VMS index ba1dbb4..6aeda11 100644 --- a/NOTES.VMS +++ b/NOTES.VMS @@ -18,8 +18,9 @@ An ANSI C compiled is needed among other things. This means that VAX C is not and will not be supported. - We have only tested with DEC C (a.k.a HP VMS C / VSI C), compiling - with a different ANSI C compiler may require some work. + We have only tested with DEC C (a.k.a HP VMS C / VSI C) and require + version 7.1 or later. Compiling with a different ANSI C compiler may + require some work. Please avoid using C RTL feature logical names DECC$* when building and testing OpenSSL. Most of all, they can be disruptive when diff --git a/apps/apps.h b/apps/apps.h index 7cf0dc4..434ca54 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -445,15 +445,12 @@ typedef struct args_st { char **argv; } ARGS; -#if defined(OPENSSL_SYS_VMS) && defined(__DECC) -# pragma pointer_size save -# pragma pointer_size 32 -typedef char **argv_t; -# pragma pointer_size restore -char **copy_argv(int *argc, argv_t argv); -#else -typedef char **argv_t; -#endif +/* + * VMS C only for now, implemented in vms_decc_init.c + * If other C compilers forget to terminate argv with NULL, this function + * can be re-used. + */ +char **copy_argv(int *argc, char *argv[]); # define PW_MIN_LENGTH 4 diff --git a/apps/openssl.c b/apps/openssl.c index b810ecf..26ea449 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -216,7 +216,6 @@ int main(int argc, char *argv[]) FUNCTION f, *fp; LHASH_OF(FUNCTION) *prog = NULL; char **copied_argv = NULL; - char **argv_alias = NULL; char *p, *pname; char buf[1024]; const char *prompt; @@ -232,10 +231,8 @@ int main(int argc, char *argv[]) bio_out = dup_bio_out(FORMAT_TEXT); bio_err = dup_bio_err(FORMAT_TEXT); -#if defined( OPENSSL_SYS_VMS) && defined(__DECC) - copied_argv = argv_alias = copy_argv(&argc, argv); -#else - argv_alias = argv; +#if defined(OPENSSL_SYS_VMS) && defined(__DECC) + copied_argv = argv = copy_argv(&argc, argv); #endif p = getenv("OPENSSL_DEBUG_MEMORY"); @@ -259,22 +256,22 @@ int main(int argc, char *argv[]) goto end; prog = prog_init(); - pname = opt_progname(argv_alias[0]); + pname = opt_progname(argv[0]); /* first check the program name */ f.name = pname; fp = lh_FUNCTION_retrieve(prog, &f); if (fp != NULL) { - argv_alias[0] = pname; - ret = fp->func(argc, argv_alias); + argv[0] = pname; + ret = fp->func(argc, argv); goto end; } /* If there is stuff on the command line, run with that. */ if (argc != 1) { argc--; - argv_alias++; - ret = do_cmd(prog, argc, argv_alias); + argv++; + ret = do_cmd(prog, argc, argv); if (ret < 0) ret = 0; goto end; diff --git a/apps/vms_decc_init.c b/apps/vms_decc_init.c index 8f8ffc6..ecf21af 100644 --- a/apps/vms_decc_init.c +++ b/apps/vms_decc_init.c @@ -106,7 +106,7 @@ decc_feat_t decc_feat_array[] = { }; -char **copy_argv(int *argc, argv_t argv) +char **copy_argv(int *argc, char *argv[]) { /*- * The note below is for historical purpose. On VMS now we always From builds at travis-ci.org Fri Apr 1 14:52:19 2016 From: builds at travis-ci.org (Travis CI) Date: Fri, 01 Apr 2016 14:52:19 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3183 (master - 368058d) In-Reply-To: Message-ID: <56fe8b22d6a6d_33fb4cbf3eb7452527b@537be0e1-b561-4028-9aca-6b478dfb2c34.mail> Build Update for openssl/openssl ------------------------------------- Build: #3183 Status: Still Failing Duration: 27 minutes and 12 seconds Commit: 368058d (master) Author: Richard Levitte Message: Force argv to be an array of long pointers on VMS Reverts commit 087ca80ad83071dde0bb6bc1c28c743caa00eaf8 Instead of battling the odd format of argv given to main() in default P64 mode, tell the compiler to make it an array of 64-bit pointers when compiling in P64 mode. A note is added in NOTES.VMS regarding minimum DEC C version. Reviewed-by: Andy Polyakov View the changeset: https://github.com/openssl/openssl/compare/5902821d81ce...368058d0a79d View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120079734 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Fri Apr 1 14:56:08 2016 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 01 Apr 2016 14:56:08 +0000 Subject: [openssl-commits] Build failed: openssl master.2501 Message-ID: <20160401145453.40510.31784.69B8C7E1@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Fri Apr 1 18:54:45 2016 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 01 Apr 2016 18:54:45 +0000 Subject: [openssl-commits] Build failed: openssl master.2502 Message-ID: <20160401185444.9090.87508.E37FEA4B@appveyor.com> An HTML attachment was scrubbed... URL: From levitte at openssl.org Fri Apr 1 20:48:50 2016 From: levitte at openssl.org (Richard Levitte) Date: Fri, 01 Apr 2016 20:48:50 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459543730.981281.11243.nullmailer@dev.openssl.org> The branch master has been updated via 488e2b0f5ae791ea17fd5b1880c4945a3306ca8e (commit) from 368058d0a79d2e3b853746b09ca86679a86ac233 (commit) - Log ----------------------------------------------------------------- commit 488e2b0f5ae791ea17fd5b1880c4945a3306ca8e Author: Richard Levitte Date: Fri Apr 1 16:03:46 2016 +0200 Add the C macro NDEBUG when configuring for release Reviewed-by: Andy Polyakov Reviewed-by: Emilia K?sper ----------------------------------------------------------------------- Summary of changes: Configure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Configure b/Configure index 1caba71..fdd8820 100755 --- a/Configure +++ b/Configure @@ -912,6 +912,8 @@ if ($target{build_scheme}->[0] eq "unified" && $classic) { my ($builder, $builder_platform, @builder_opts) = @{$target{build_scheme}}; +push @{$config{defines}}, "NDEBUG" if $config{build_type} eq "release"; + if ($target =~ /^mingw/ && `$target{cc} --target-help 2>&1` =~ m/-mno-cygwin/m) { $config{cflags} .= " -mno-cygwin"; From no-reply at appveyor.com Fri Apr 1 21:21:44 2016 From: no-reply at appveyor.com (AppVeyor) Date: Fri, 01 Apr 2016 21:21:44 +0000 Subject: [openssl-commits] Build failed: openssl master.2503 Message-ID: <20160401212144.9094.10822.55944793@appveyor.com> An HTML attachment was scrubbed... URL: From builds at travis-ci.org Fri Apr 1 21:22:40 2016 From: builds at travis-ci.org (Travis CI) Date: Fri, 01 Apr 2016 21:22:40 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3185 (master - 488e2b0) In-Reply-To: Message-ID: <56fee69fdb7f4_33f8f7a4b3d4c814422@53ba1929-2d4d-4827-b371-33c05af9a550.mail> Build Update for openssl/openssl ------------------------------------- Build: #3185 Status: Still Failing Duration: 33 minutes and 7 seconds Commit: 488e2b0 (master) Author: Richard Levitte Message: Add the C macro NDEBUG when configuring for release Reviewed-by: Andy Polyakov Reviewed-by: Emilia K?sper View the changeset: https://github.com/openssl/openssl/compare/368058d0a79d...488e2b0f5ae7 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120170921 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From levitte at openssl.org Sat Apr 2 15:21:39 2016 From: levitte at openssl.org (Richard Levitte) Date: Sat, 02 Apr 2016 15:21:39 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459610499.555182.8191.nullmailer@dev.openssl.org> The branch master has been updated via 2d5a1cfab8af8a282c62a3e1562aab1ad905b3e9 (commit) from 488e2b0f5ae791ea17fd5b1880c4945a3306ca8e (commit) - Log ----------------------------------------------------------------- commit 2d5a1cfab8af8a282c62a3e1562aab1ad905b3e9 Author: Coty Sutherland Date: Fri Apr 1 14:20:11 2016 -0400 Correcting typo that causes make install fail Reviewed-by: Rich Salz Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: Configurations/unix-Makefile.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index bd02b8c..e381237 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -89,7 +89,7 @@ GENERATED={- join(" ", map { (my $x = $_) =~ s|\.S$|\.s|; $x } keys %{$unified_i BIN_SCRIPTS=$(BLDDIR)/tools/c_rehash MISC_SCRIPTS=$(SRCDIR)/tools/c_hash $(SRCDIR)/tools/c_info \ $(SRCDIR)/tools/c_issuer $(SRCDIR)/tools/c_name \ - $(BLDDIR)/apps/CA.pl $(BDLDIR)/apps/tsget + $(BLDDIR)/apps/CA.pl $(BLDDIR)/apps/tsget SHLIB_INFO={- join(" ", map { "\"".shlib($_).";".shlib_simple($_)."\"" } @{$unified_info{libraries}}) -} From builds at travis-ci.org Sat Apr 2 15:43:06 2016 From: builds at travis-ci.org (Travis CI) Date: Sat, 02 Apr 2016 15:43:06 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3186 (master - 2d5a1cf) In-Reply-To: Message-ID: <56ffe88a892b7_33f97d7c388c8203532@fd2259c4-c155-4914-a0c9-a423ec337c34.mail> Build Update for openssl/openssl ------------------------------------- Build: #3186 Status: Still Failing Duration: 20 minutes and 24 seconds Commit: 2d5a1cf (master) Author: Coty Sutherland Message: Correcting typo that causes make install fail Reviewed-by: Rich Salz Reviewed-by: Richard Levitte View the changeset: https://github.com/openssl/openssl/compare/488e2b0f5ae7...2d5a1cfab8af View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120291158 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Apr 2 15:53:51 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 02 Apr 2016 15:53:51 +0000 Subject: [openssl-commits] Build failed: openssl master.2504 Message-ID: <20160402155351.7819.58984.3A734C23@appveyor.com> An HTML attachment was scrubbed... URL: From steve at openssl.org Sat Apr 2 16:34:46 2016 From: steve at openssl.org (Dr. Stephen Henson) Date: Sat, 02 Apr 2016 16:34:46 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459614886.439336.23019.nullmailer@dev.openssl.org> The branch master has been updated via fa0a9d715e7e35d4f597683c16b643343245fa26 (commit) from 2d5a1cfab8af8a282c62a3e1562aab1ad905b3e9 (commit) - Log ----------------------------------------------------------------- commit fa0a9d715e7e35d4f597683c16b643343245fa26 Author: Dr. Stephen Henson Date: Wed Mar 30 21:46:13 2016 +0100 Fix X509_PUBKEY cached key handling. Don't decode a public key in X509_PUBKEY_get0(): that is handled when the key is parsed using x509_pubkey_decode() instead. Reviewed-by: Emilia K?sper ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_err.c | 3 +- crypto/x509/x_pubkey.c | 88 ++++++++++++++++++++++++++++++++++++-------------- include/openssl/x509.h | 1 + 3 files changed, 66 insertions(+), 26 deletions(-) diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c index 9754c12..90a22de 100644 --- a/crypto/x509/x509_err.c +++ b/crypto/x509/x509_err.c @@ -1,5 +1,5 @@ /* ==================================================================== - * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -110,6 +110,7 @@ static ERR_STRING_DATA X509_str_functs[] = { {ERR_FUNC(X509_F_X509_NAME_ONELINE), "X509_NAME_oneline"}, {ERR_FUNC(X509_F_X509_NAME_PRINT), "X509_NAME_print"}, {ERR_FUNC(X509_F_X509_PRINT_EX_FP), "X509_print_ex_fp"}, + {ERR_FUNC(X509_F_X509_PUBKEY_DECODE), "x509_pubkey_decode"}, {ERR_FUNC(X509_F_X509_PUBKEY_GET0), "X509_PUBKEY_get0"}, {ERR_FUNC(X509_F_X509_PUBKEY_SET), "X509_PUBKEY_set"}, {ERR_FUNC(X509_F_X509_REQ_CHECK_PRIVATE_KEY), diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index b9079b5..485d768 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -71,6 +71,8 @@ struct X509_pubkey_st { EVP_PKEY *pkey; }; +static int x509_pubkey_decode(EVP_PKEY **pk, X509_PUBKEY *key); + /* Minor tweak to operation: free up EVP_PKEY */ static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) @@ -83,11 +85,13 @@ static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; EVP_PKEY_free(pubkey->pkey); /* - * Remove any errors from the queue: subsequent decode attempts will - * return an appropriate error. + * Opportunistically decode the key but remove any non fatal errors + * from the queue. Subsequent explicit attempts to decode/use the key + * will return an appropriate error. */ ERR_set_mark(); - pubkey->pkey = X509_PUBKEY_get0(pubkey); + if (x509_pubkey_decode(&pubkey->pkey, pubkey) == -1) + return 0; ERR_pop_to_mark(); } return 1; @@ -128,6 +132,8 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) X509_PUBKEY_free(*x); *x = pk; + pk->pkey = pkey; + EVP_PKEY_up_ref(pkey); return 1; error: @@ -135,44 +141,76 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) return 0; } -EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key) -{ - EVP_PKEY *ret = NULL; - - if (key == NULL) - goto error; +/* + * Attempt to decode a public key. + * Returns 1 on success, 0 for a decode failure and -1 for a fatal + * error e.g. malloc failure. + */ - if (key->pkey != NULL) - return key->pkey; - if (key->public_key == NULL) - goto error; +static int x509_pubkey_decode(EVP_PKEY **ppkey, X509_PUBKEY *key) + { + EVP_PKEY *pkey = EVP_PKEY_new(); - if ((ret = EVP_PKEY_new()) == NULL) { - X509err(X509_F_X509_PUBKEY_GET0, ERR_R_MALLOC_FAILURE); - goto error; + if (pkey == NULL) { + X509err(X509_F_X509_PUBKEY_DECODE, ERR_R_MALLOC_FAILURE); + return -1; } - if (!EVP_PKEY_set_type(ret, OBJ_obj2nid(key->algor->algorithm))) { - X509err(X509_F_X509_PUBKEY_GET0, X509_R_UNSUPPORTED_ALGORITHM); + if (!EVP_PKEY_set_type(pkey, OBJ_obj2nid(key->algor->algorithm))) { + X509err(X509_F_X509_PUBKEY_DECODE, X509_R_UNSUPPORTED_ALGORITHM); goto error; } - if (ret->ameth->pub_decode) { - if (!ret->ameth->pub_decode(ret, key)) { - X509err(X509_F_X509_PUBKEY_GET0, X509_R_PUBLIC_KEY_DECODE_ERROR); + if (pkey->ameth->pub_decode) { + /* + * Treat any failure of pub_decode as a decode error. In + * future we could have different return codes for decode + * errors and fatal errors such as malloc failure. + */ + if (!pkey->ameth->pub_decode(pkey, key)) { + X509err(X509_F_X509_PUBKEY_DECODE, X509_R_PUBLIC_KEY_DECODE_ERROR); goto error; } } else { - X509err(X509_F_X509_PUBKEY_GET0, X509_R_METHOD_NOT_SUPPORTED); + X509err(X509_F_X509_PUBKEY_DECODE, X509_R_METHOD_NOT_SUPPORTED); goto error; } - return ret; + *ppkey = pkey; + return 1; error: - EVP_PKEY_free(ret); - return (NULL); + EVP_PKEY_free(pkey); + return 0; +} + +EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key) +{ + EVP_PKEY *ret = NULL; + + if (key == NULL || key->public_key == NULL) + return NULL; + + if (key->pkey != NULL) + return key->pkey; + + /* + * When the key ASN.1 is initially parsed an attempt is made to + * decode the public key and cache the EVP_PKEY structure. If this + * operation fails the cached value will be NULL. Parsing continues + * to allow parsing of unknown key types or unsupported forms. + * We repeat the decode operation so the appropriate errors are left + * in the queue. + */ + x509_pubkey_decode(&ret, key); + /* If decode doesn't fail something bad happened */ + if (ret != NULL) { + X509err(X509_F_X509_PUBKEY_GET0, ERR_R_INTERNAL_ERROR); + EVP_PKEY_free(ret); + } + + return NULL; } EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 0ad753c..4f22dc3 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -1078,6 +1078,7 @@ void ERR_load_X509_strings(void); # define X509_F_X509_NAME_ONELINE 116 # define X509_F_X509_NAME_PRINT 117 # define X509_F_X509_PRINT_EX_FP 118 +# define X509_F_X509_PUBKEY_DECODE 148 # define X509_F_X509_PUBKEY_GET0 119 # define X509_F_X509_PUBKEY_SET 120 # define X509_F_X509_REQ_CHECK_PRIVATE_KEY 144 From builds at travis-ci.org Sat Apr 2 17:00:33 2016 From: builds at travis-ci.org (Travis CI) Date: Sat, 02 Apr 2016 17:00:33 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3187 (master - fa0a9d7) In-Reply-To: Message-ID: <56fffab255f7_33f97deab6480270331@fd2259c4-c155-4914-a0c9-a423ec337c34.mail> Build Update for openssl/openssl ------------------------------------- Build: #3187 Status: Still Failing Duration: 25 minutes and 23 seconds Commit: fa0a9d7 (master) Author: Dr. Stephen Henson Message: Fix X509_PUBKEY cached key handling. Don't decode a public key in X509_PUBKEY_get0(): that is handled when the key is parsed using x509_pubkey_decode() instead. Reviewed-by: Emilia K?sper View the changeset: https://github.com/openssl/openssl/compare/2d5a1cfab8af...fa0a9d715e7e View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120300146 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Apr 2 17:05:47 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 02 Apr 2016 17:05:47 +0000 Subject: [openssl-commits] Build failed: openssl master.2505 Message-ID: <20160402170547.9086.94997.14852DF7@appveyor.com> An HTML attachment was scrubbed... URL: From levitte at openssl.org Sat Apr 2 18:10:07 2016 From: levitte at openssl.org (Richard Levitte) Date: Sat, 02 Apr 2016 18:10:07 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459620607.160164.1176.nullmailer@dev.openssl.org> The branch master has been updated via e3d818588056ec8fed501e1f5970ef9b5b057fc5 (commit) from fa0a9d715e7e35d4f597683c16b643343245fa26 (commit) - Log ----------------------------------------------------------------- commit e3d818588056ec8fed501e1f5970ef9b5b057fc5 Author: Richard Levitte Date: Sat Apr 2 17:10:03 2016 +0200 make depend: Check that find returned a non-empty string rather than an empty The logic to find out of there are any .d files newer than Makefile is sound. Checking the result was less so. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: Configurations/unix-Makefile.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index e381237..5b9a23f 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -261,7 +261,7 @@ clean: libclean # concatenate only if that is true. depend: @: {- output_off() if $disabled{makedepend}; "" -} - @if [ -z "`find $(DEPS) -newer Makefile 2>/dev/null; exit 0`" ]; then \ + @if [ -n "`find $(DEPS) -newer Makefile 2>/dev/null; exit 0`" ]; then \ ( sed -e '/^# DO NOT DELETE THIS LINE.*/,$$d' < Makefile; \ echo '# DO NOT DELETE THIS LINE -- make depend depends on it.'; \ echo; \ From builds at travis-ci.org Sat Apr 2 18:30:38 2016 From: builds at travis-ci.org (Travis CI) Date: Sat, 02 Apr 2016 18:30:38 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3188 (master - e3d8185) In-Reply-To: Message-ID: <57000fceab65b_33ff45486d55c51616a@0a332f67-9cc8-402b-9ab6-f509815ce223.mail> Build Update for openssl/openssl ------------------------------------- Build: #3188 Status: Still Failing Duration: 20 minutes and 5 seconds Commit: e3d8185 (master) Author: Richard Levitte Message: make depend: Check that find returned a non-empty string rather than an empty The logic to find out of there are any .d files newer than Makefile is sound. Checking the result was less so. Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/fa0a9d715e7e...e3d818588056 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120313155 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Apr 2 18:46:52 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 02 Apr 2016 18:46:52 +0000 Subject: [openssl-commits] Build failed: openssl master.2506 Message-ID: <20160402184651.28245.45442.704267AB@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Apr 2 19:19:08 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 02 Apr 2016 19:19:08 +0000 Subject: [openssl-commits] Build failed: openssl master.2507 Message-ID: <20160402191908.49899.82647.B924BD90@appveyor.com> An HTML attachment was scrubbed... URL: From levitte at openssl.org Sat Apr 2 20:34:40 2016 From: levitte at openssl.org (Richard Levitte) Date: Sat, 02 Apr 2016 20:34:40 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459629280.561010.5348.nullmailer@dev.openssl.org> The branch master has been updated via b286cb8eac308b2f2350d01b8b0ccb63909a2e47 (commit) from e3d818588056ec8fed501e1f5970ef9b5b057fc5 (commit) - Log ----------------------------------------------------------------- commit b286cb8eac308b2f2350d01b8b0ccb63909a2e47 Author: Richard Levitte Date: Sat Apr 2 19:59:19 2016 +0200 apps/opt.c: next was only used when NDEBUG undefined, move it inside guard Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: apps/opt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/opt.c b/apps/opt.c index f4eba2d..af994bb 100644 --- a/apps/opt.c +++ b/apps/opt.c @@ -163,8 +163,8 @@ char *opt_init(int ac, char **av, const OPTIONS *o) unknown = NULL; for (; o->name; ++o) { - const OPTIONS *next; #ifndef NDEBUG + const OPTIONS *next; int duplicated, i; #endif From rsalz at openssl.org Sat Apr 2 20:56:17 2016 From: rsalz at openssl.org (Rich Salz) Date: Sat, 02 Apr 2016 20:56:17 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459630577.700786.20784.nullmailer@dev.openssl.org> The branch master has been updated via 6b888643105e37d340d509b98023b4779653c8a7 (commit) from b286cb8eac308b2f2350d01b8b0ccb63909a2e47 (commit) - Log ----------------------------------------------------------------- commit 6b888643105e37d340d509b98023b4779653c8a7 Author: Mat Date: Fri Apr 1 02:00:03 2016 +0200 Fix: CRYPTO_THREAD_run_once InitOnceExecuteOnce returns nonzero on success: MSDN: "If the function succeeds, the return value is nonzero." So return 1 if it is nonzero, 0 others. Reviewed-by: Matt Caswell Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/threads_win.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/threads_win.c b/crypto/threads_win.c index 5a14872..63647a3 100644 --- a/crypto/threads_win.c +++ b/crypto/threads_win.c @@ -136,9 +136,9 @@ BOOL CALLBACK once_cb(PINIT_ONCE once, PVOID p, PVOID *pp) int CRYPTO_THREAD_run_once(CRYPTO_ONCE *once, void (*init)(void)) { if (InitOnceExecuteOnce(once, once_cb, init, NULL)) - return 0; + return 1; - return 1; + return 0; } # endif From builds at travis-ci.org Sat Apr 2 20:57:24 2016 From: builds at travis-ci.org (Travis CI) Date: Sat, 02 Apr 2016 20:57:24 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3190 (master - b286cb8) In-Reply-To: Message-ID: <570032352f6ff_33ff459ed651059698d@0a332f67-9cc8-402b-9ab6-f509815ce223.mail> Build Update for openssl/openssl ------------------------------------- Build: #3190 Status: Still Failing Duration: 22 minutes and 13 seconds Commit: b286cb8 (master) Author: Richard Levitte Message: apps/opt.c: next was only used when NDEBUG undefined, move it inside guard Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/e3d818588056...b286cb8eac30 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120332667 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at openssl.org Sat Apr 2 20:57:32 2016 From: rsalz at openssl.org (Rich Salz) Date: Sat, 02 Apr 2016 20:57:32 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459630652.376143.22490.nullmailer@dev.openssl.org> The branch master has been updated via d3e6d6bcdfb725a57f94330367e7b752036c7a2c (commit) via fc9755ee0d9590510df48b5fbac7cea0b6792b1f (commit) via 9fe9d0461ea4bcc42cd75a30f013fa61b5407b93 (commit) from 6b888643105e37d340d509b98023b4779653c8a7 (commit) - Log ----------------------------------------------------------------- commit d3e6d6bcdfb725a57f94330367e7b752036c7a2c Author: Kirill Marinushkin Date: Wed Mar 30 18:39:42 2016 +0200 moved structure bio_buf_mem_st from headers to bss_mem.c Reviewed-by: Richard Levitte Reviewed-by: Rich Salz commit fc9755ee0d9590510df48b5fbac7cea0b6792b1f Author: Kirill Marinushkin Date: Wed Mar 16 22:05:59 2016 +0100 sizeof() updated to cover coding style Reviewed-by: Richard Levitte Reviewed-by: Rich Salz commit 9fe9d0461ea4bcc42cd75a30f013fa61b5407b93 Author: Kirill Marinushkin Date: Sun Mar 13 13:20:52 2016 +0100 Optimized BIO mem read - without reallocation Currently on every BIO mem read operation the remaining data is reallocated. This commit solves the issue. BIO mem structure includes additional pointer to the read position. On every read the pointer moves instead of reallocating the memory for the remaining data. Reallocation accures before write and some ioctl operations, if the read pointer doesn't point on the beginning of the buffer. Also the flag is added to rewind the read pointer without losing the data. Reviewed-by: Richard Levitte Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/bio/bss_mem.c | 111 ++++++++++++++++++++++++++++++++++------------- doc/crypto/BIO_s_mem.pod | 13 ++---- include/openssl/bio.h | 6 ++- 3 files changed, 89 insertions(+), 41 deletions(-) diff --git a/crypto/bio/bss_mem.c b/crypto/bio/bss_mem.c index 460e070..46bd034 100644 --- a/crypto/bio/bss_mem.c +++ b/crypto/bio/bss_mem.c @@ -68,6 +68,9 @@ static long mem_ctrl(BIO *h, int cmd, long arg1, void *arg2); static int mem_new(BIO *h); static int secmem_new(BIO *h); static int mem_free(BIO *data); +static int mem_buf_free(BIO *data, int free_all); +static int mem_buf_sync(BIO *h); + static const BIO_METHOD mem_method = { BIO_TYPE_MEM, "memory buffer", @@ -80,6 +83,7 @@ static const BIO_METHOD mem_method = { mem_free, NULL, }; + static const BIO_METHOD secmem_method = { BIO_TYPE_MEM, "secure memory buffer", @@ -93,6 +97,12 @@ static const BIO_METHOD secmem_method = { NULL, }; +/* BIO memory stores buffer and read pointer */ +typedef struct bio_buf_mem_st { + struct buf_mem_st *buf; /* allocated buffer */ + struct buf_mem_st *readp; /* read pointer */ +} BIO_BUF_MEM; + /* * bio->num is used to hold the value to return on 'empty', if it is 0, * should_retry is not set @@ -112,6 +122,7 @@ BIO *BIO_new_mem_buf(const void *buf, int len) { BIO *ret; BUF_MEM *b; + BIO_BUF_MEM *bb; size_t sz; if (buf == NULL) { @@ -121,11 +132,13 @@ BIO *BIO_new_mem_buf(const void *buf, int len) sz = (len < 0) ? strlen(buf) : (size_t)len; if ((ret = BIO_new(BIO_s_mem())) == NULL) return NULL; - b = (BUF_MEM *)ret->ptr; + bb = (BIO_BUF_MEM *)ret->ptr; + b = bb->buf; /* Cast away const and trust in the MEM_RDONLY flag. */ b->data = (void *)buf; b->length = sz; b->max = sz; + *bb->readp = *bb->buf; ret->flags |= BIO_FLAGS_MEM_RDONLY; /* Since this is static data retrying wont help */ ret->num = 0; @@ -134,14 +147,19 @@ BIO *BIO_new_mem_buf(const void *buf, int len) static int mem_init(BIO *bi, unsigned long flags) { - BUF_MEM *b; + BIO_BUF_MEM *bb = OPENSSL_zalloc(sizeof(*bb)); - if ((b = BUF_MEM_new_ex(flags)) == NULL) + if (bb == NULL) return(0); + if ((bb->buf = BUF_MEM_new_ex(flags)) == NULL) + return(0); + if ((bb->readp = OPENSSL_zalloc(sizeof(*bb->readp))) == NULL) + return(0); + *bb->readp = *bb->buf; bi->shutdown = 1; bi->init = 1; bi->num = -1; - bi->ptr = (char *)b; + bi->ptr = (char *)bb; return(1); } @@ -157,37 +175,63 @@ static int secmem_new(BIO *bi) static int mem_free(BIO *a) { + return (mem_buf_free(a, 1)); +} + +static int mem_buf_free(BIO *a, int free_all) +{ if (a == NULL) return (0); if (a->shutdown) { if ((a->init) && (a->ptr != NULL)) { BUF_MEM *b; - b = (BUF_MEM *)a->ptr; - if (a->flags & BIO_FLAGS_MEM_RDONLY) - b->data = NULL; - BUF_MEM_free(b); + BIO_BUF_MEM *bb = (BIO_BUF_MEM *)a->ptr; + + if(bb != NULL) { + b = bb->buf; + if (a->flags & BIO_FLAGS_MEM_RDONLY) + b->data = NULL; + BUF_MEM_free(b); + if(free_all) { + OPENSSL_free(bb->readp); + OPENSSL_free(bb); + } + } a->ptr = NULL; } } return (1); } +/* + * Reallocate memory buffer if read pointer differs + */ +static int mem_buf_sync(BIO *b) +{ + if((b != NULL) && (b->init) && (b->ptr != NULL)) { + BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr; + + if(bbm->readp->data != bbm->buf->data) { + memmove(bbm->buf->data, bbm->readp->data, bbm->readp->length); + bbm->buf->length = bbm->readp->length; + bbm->readp->data = bbm->buf->data; + } + } + return (0); +} + static int mem_read(BIO *b, char *out, int outl) { int ret = -1; - BUF_MEM *bm; + BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr; + BUF_MEM *bm = bbm->readp; - bm = (BUF_MEM *)b->ptr; BIO_clear_retry_flags(b); ret = (outl >= 0 && (size_t)outl > bm->length) ? (int)bm->length : outl; if ((out != NULL) && (ret > 0)) { memcpy(out, bm->data, ret); bm->length -= ret; - if (b->flags & BIO_FLAGS_MEM_RDONLY) - bm->data += ret; - else { - memmove(&(bm->data[0]), &(bm->data[ret]), bm->length); - } + bm->data += ret; } else if (bm->length == 0) { ret = b->num; if (ret != 0) @@ -200,24 +244,23 @@ static int mem_write(BIO *b, const char *in, int inl) { int ret = -1; int blen; - BUF_MEM *bm; + BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr; - bm = (BUF_MEM *)b->ptr; if (in == NULL) { BIOerr(BIO_F_MEM_WRITE, BIO_R_NULL_PARAMETER); goto end; } - if (b->flags & BIO_FLAGS_MEM_RDONLY) { BIOerr(BIO_F_MEM_WRITE, BIO_R_WRITE_TO_READ_ONLY_BIO); goto end; } - BIO_clear_retry_flags(b); - blen = bm->length; - if (BUF_MEM_grow_clean(bm, blen + inl) == 0) + blen = bbm->readp->length; + mem_buf_sync(b); + if (BUF_MEM_grow_clean(bbm->buf, blen + inl) == 0) goto end; - memcpy(&(bm->data[blen]), in, inl); + memcpy(bbm->buf->data + blen, in, inl); + *bbm->readp = *bbm->buf; ret = inl; end: return (ret); @@ -227,29 +270,32 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr) { long ret = 1; char **pptr; - - BUF_MEM *bm = (BUF_MEM *)b->ptr; + BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr; + BUF_MEM *bm; switch (cmd) { case BIO_CTRL_RESET: + bm = bbm->buf; if (bm->data != NULL) { /* For read only case reset to the start again */ - if (b->flags & BIO_FLAGS_MEM_RDONLY) { - bm->data -= bm->max - bm->length; + if ((b->flags & BIO_FLAGS_MEM_RDONLY) || (b->flags & BIO_FLAGS_NONCLEAR_RST)) { bm->length = bm->max; } else { memset(bm->data, 0, bm->max); bm->length = 0; } + *bbm->readp = *bbm->buf; } break; case BIO_CTRL_EOF: + bm = bbm->readp; ret = (long)(bm->length == 0); break; case BIO_C_SET_BUF_MEM_EOF_RETURN: b->num = (int)num; break; case BIO_CTRL_INFO: + bm = bbm->readp; ret = (long)bm->length; if (ptr != NULL) { pptr = (char **)ptr; @@ -257,12 +303,16 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr) } break; case BIO_C_SET_BUF_MEM: - mem_free(b); + mem_buf_free(b, 0); b->shutdown = (int)num; - b->ptr = ptr; + bbm->buf = ptr; + *bbm->readp = *bbm->buf; + b->ptr = bbm; break; case BIO_C_GET_BUF_MEM_PTR: if (ptr != NULL) { + mem_buf_sync(b); + bm = bbm->readp; pptr = (char **)ptr; *pptr = (char *)bm; } @@ -273,11 +323,11 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr) case BIO_CTRL_SET_CLOSE: b->shutdown = (int)num; break; - case BIO_CTRL_WPENDING: ret = 0L; break; case BIO_CTRL_PENDING: + bm = bbm->readp; ret = (long)bm->length; break; case BIO_CTRL_DUP: @@ -298,7 +348,8 @@ static int mem_gets(BIO *bp, char *buf, int size) int i, j; int ret = -1; char *p; - BUF_MEM *bm = (BUF_MEM *)bp->ptr; + BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)bp->ptr; + BUF_MEM *bm = bbm->readp; BIO_clear_retry_flags(bp); j = bm->length; diff --git a/doc/crypto/BIO_s_mem.pod b/doc/crypto/BIO_s_mem.pod index 03e291d..84abb29 100644 --- a/doc/crypto/BIO_s_mem.pod +++ b/doc/crypto/BIO_s_mem.pod @@ -39,9 +39,10 @@ Memory BIOs support BIO_gets() and BIO_puts(). If the BIO_CLOSE flag is set when a memory BIO is freed then the underlying BUF_MEM structure is also freed. -Calling BIO_reset() on a read write memory BIO clears any data in it. On a -read only BIO it restores the BIO to its original state and the read only -data can be read again. +Calling BIO_reset() on a read write memory BIO clears any data in it if the +flag BIO_FLAGS_NONCLEAR_RST is not set. On a read only BIO or if the flag +BIO_FLAGS_NONCLEAR_RST is set it restores the BIO to its original state and +the data can be read again. BIO_eof() is true if no data is in the BIO. @@ -90,12 +91,6 @@ give undefined results, including perhaps a program crash. There should be an option to set the maximum size of a memory BIO. -There should be a way to "rewind" a read write BIO without destroying -its contents. - -The copying operation should not occur after every small read of a large BIO -to improve efficiency. - =head1 EXAMPLE Create a memory BIO and write some data to it: diff --git a/include/openssl/bio.h b/include/openssl/bio.h index a32c2d3..e0c6380 100644 --- a/include/openssl/bio.h +++ b/include/openssl/bio.h @@ -216,10 +216,12 @@ extern "C" { # define BIO_FLAGS_BASE64_NO_NL 0x100 /* - * This is used with memory BIOs: it means we shouldn't free up or change the - * data in any way. + * This is used with memory BIOs: + * BIO_FLAGS_MEM_RDONLY means we shouldn't free up or change the data in any way; + * BIO_FLAGS_NONCLEAR_RST means we should't clear data on reset. */ # define BIO_FLAGS_MEM_RDONLY 0x200 +# define BIO_FLAGS_NONCLEAR_RST 0x400 typedef union bio_addr_st BIO_ADDR; typedef struct bio_addrinfo_st BIO_ADDRINFO; From no-reply at appveyor.com Sat Apr 2 21:06:57 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 02 Apr 2016 21:06:57 +0000 Subject: [openssl-commits] Build failed: openssl master.2508 Message-ID: <20160402210656.94576.97681.D48E58F1@appveyor.com> An HTML attachment was scrubbed... URL: From levitte at openssl.org Sat Apr 2 21:13:45 2016 From: levitte at openssl.org (Richard Levitte) Date: Sat, 02 Apr 2016 21:13:45 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459631625.107461.1539.nullmailer@dev.openssl.org> The branch master has been updated via 25c78440d21c814705e0e50c6e567300936aa02b (commit) via cb2ceb18f242bbc573c0e332f34b9ca42fc5f561 (commit) from d3e6d6bcdfb725a57f94330367e7b752036c7a2c (commit) - Log ----------------------------------------------------------------- commit 25c78440d21c814705e0e50c6e567300936aa02b Author: Richard Levitte Date: Fri Apr 1 15:09:28 2016 +0200 Adapt some test recipes to the newer cmdstr() Reviewed-by: Rich Salz commit cb2ceb18f242bbc573c0e332f34b9ca42fc5f561 Author: Richard Levitte Date: Fri Apr 1 15:05:52 2016 +0200 Enhance OpenSSL::Test::cmdstr to give cmd string variants Within OpenSSL::Test, all commands end up existing in two variants, one that has redirections that are needed internally to work well together with the test harness, and one without those redirections. Depending on what the result is going to be used for, the caller may want one for or the other, so we give them the possibility. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: test/recipes/70-test_sslcertstatus.t | 2 +- test/recipes/70-test_sslextension.t | 2 +- test/recipes/70-test_sslsessiontick.t | 2 +- test/recipes/70-test_sslskewith0p.t | 2 +- test/recipes/70-test_sslvertol.t | 2 +- test/recipes/70-test_tlsextms.t | 2 +- test/recipes/80-test_ca.t | 2 +- test/recipes/80-test_tsa.t | 2 +- test/recipes/90-test_networking.t | 2 +- test/testlib/OpenSSL/Test.pm | 27 +++++++++++++++++++++++++-- 10 files changed, 34 insertions(+), 11 deletions(-) diff --git a/test/recipes/70-test_sslcertstatus.t b/test/recipes/70-test_sslcertstatus.t index 48014e2..d2bc280 100755 --- a/test/recipes/70-test_sslcertstatus.t +++ b/test/recipes/70-test_sslcertstatus.t @@ -72,7 +72,7 @@ plan skip_all => "$test_name needs the sock feature enabled" $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( \&certstatus_filter, - cmdstr(app(["openssl"])), + cmdstr(app(["openssl"]), display => 1), srctop_file("apps", "server.pem"), (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ); diff --git a/test/recipes/70-test_sslextension.t b/test/recipes/70-test_sslextension.t index 92c6762..7d45ce2 100755 --- a/test/recipes/70-test_sslextension.t +++ b/test/recipes/70-test_sslextension.t @@ -72,7 +72,7 @@ plan skip_all => "$test_name needs the sock feature enabled" $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( \&extension_filter, - cmdstr(app(["openssl"])), + cmdstr(app(["openssl"]), display => 1), srctop_file("apps", "server.pem"), (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ); diff --git a/test/recipes/70-test_sslsessiontick.t b/test/recipes/70-test_sslsessiontick.t index 7045738..cbd4c65 100755 --- a/test/recipes/70-test_sslsessiontick.t +++ b/test/recipes/70-test_sslsessiontick.t @@ -83,7 +83,7 @@ my $ticketseen = 0; my $proxy = TLSProxy::Proxy->new( undef, - cmdstr(app(["openssl"])), + cmdstr(app(["openssl"]), display => 1), srctop_file("apps", "server.pem"), (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ); diff --git a/test/recipes/70-test_sslskewith0p.t b/test/recipes/70-test_sslskewith0p.t index 0bed4bf..ac88ed5 100755 --- a/test/recipes/70-test_sslskewith0p.t +++ b/test/recipes/70-test_sslskewith0p.t @@ -75,7 +75,7 @@ plan skip_all => "$test_name needs the sock feature enabled" $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( \&ske_0_p_filter, - cmdstr(app(["openssl"])), + cmdstr(app(["openssl"]), display => 1), srctop_file("apps", "server.pem"), (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ); diff --git a/test/recipes/70-test_sslvertol.t b/test/recipes/70-test_sslvertol.t index a3285a6..c1ec38f 100755 --- a/test/recipes/70-test_sslvertol.t +++ b/test/recipes/70-test_sslvertol.t @@ -72,7 +72,7 @@ plan skip_all => "$test_name needs the sock feature enabled" $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( \&vers_tolerance_filter, - cmdstr(app(["openssl"])), + cmdstr(app(["openssl"]), display => 1), srctop_file("apps", "server.pem"), (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ); diff --git a/test/recipes/70-test_tlsextms.t b/test/recipes/70-test_tlsextms.t index 5c41a90..24abfcf 100644 --- a/test/recipes/70-test_tlsextms.t +++ b/test/recipes/70-test_tlsextms.t @@ -84,7 +84,7 @@ my $fullhand = 0; my $proxy = TLSProxy::Proxy->new( \&extms_filter, - cmdstr(app(["openssl"])), + cmdstr(app(["openssl"]), display => 1), srctop_file("apps", "server.pem"), (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ); diff --git a/test/recipes/80-test_ca.t b/test/recipes/80-test_ca.t index 983f8ce..09d5ba6 100644 --- a/test/recipes/80-test_ca.t +++ b/test/recipes/80-test_ca.t @@ -9,7 +9,7 @@ use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/; setup("test_ca"); -$ENV{OPENSSL} = cmdstr(app(["openssl"])); +$ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1); my $std_openssl_cnf = srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf"); diff --git a/test/recipes/80-test_tsa.t b/test/recipes/80-test_tsa.t index 6785698..f2ceeeb 100644 --- a/test/recipes/80-test_tsa.t +++ b/test/recipes/80-test_tsa.t @@ -79,7 +79,7 @@ indir "tsa" => sub $ENV{OPENSSL_CONF} = srctop_file("test", "CAtsa.cnf"); # Because that's what ../apps/CA.pl really looks at $ENV{OPENSSL_CONFIG} = "-config ".$ENV{OPENSSL_CONF}; - $ENV{OPENSSL} = cmdstr(app(["openssl"])); + $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1); $testtsa = srctop_file("test", "recipes", "80-test_tsa.t"); $CAtsa = srctop_file("test", "CAtsa.cnf"); diff --git a/test/recipes/90-test_networking.t b/test/recipes/90-test_networking.t index 408d89a..85de81a 100644 --- a/test/recipes/90-test_networking.t +++ b/test/recipes/90-test_networking.t @@ -73,7 +73,7 @@ $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( undef, - cmdstr(app(["openssl"])), + cmdstr(app(["openssl"]), display => 1), srctop_file("apps", "server.pem"), (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ); diff --git a/test/testlib/OpenSSL/Test.pm b/test/testlib/OpenSSL/Test.pm index b0a609f..ca2e369 100644 --- a/test/testlib/OpenSSL/Test.pm +++ b/test/testlib/OpenSSL/Test.pm @@ -548,19 +548,42 @@ sub with { =over 4 -=item B +=item B C takes a CODEREF from C or C and simply returns the command as a string. +C takes some additiona options OPTS that affect the string returned: + +=over 4 + +=item B 0|1> + +When set to 0, the returned string will be with all decorations, such as a +possible redirect of stderr to the null device. This is suitable if the +string is to be used directly in a recipe. + +When set to 1, the returned string will be without extra decorations. This +is suitable for display if that is desired (doesn't confuse people with all +internal stuff), or if it's used to pass a command down to a subprocess. + +Default: 0 + +=back + =back =cut sub cmdstr { my ($cmd, $display_cmd) = shift->(0); + my %opts = @_; - return $cmd; + if ($opts{display}) { + return $display_cmd; + } else { + return $cmd; + } } =over 4 From builds at travis-ci.org Sat Apr 2 21:16:31 2016 From: builds at travis-ci.org (Travis CI) Date: Sat, 02 Apr 2016 21:16:31 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3191 (master - 6b88864) In-Reply-To: Message-ID: <570036af74c8a_33ff459eb49d8606118@0a332f67-9cc8-402b-9ab6-f509815ce223.mail> Build Update for openssl/openssl ------------------------------------- Build: #3191 Status: Still Failing Duration: 19 minutes and 53 seconds Commit: 6b88864 (master) Author: Mat Message: Fix: CRYPTO_THREAD_run_once InitOnceExecuteOnce returns nonzero on success: MSDN: "If the function succeeds, the return value is nonzero." So return 1 if it is nonzero, 0 others. Reviewed-by: Matt Caswell Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/b286cb8eac30...6b888643105e View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120335488 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Sat Apr 2 21:38:57 2016 From: builds at travis-ci.org (Travis CI) Date: Sat, 02 Apr 2016 21:38:57 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3192 (master - d3e6d6b) In-Reply-To: Message-ID: <57003bf1b882f_33f97d7c3817051956b@fd2259c4-c155-4914-a0c9-a423ec337c34.mail> Build Update for openssl/openssl ------------------------------------- Build: #3192 Status: Still Failing Duration: 27 minutes and 14 seconds Commit: d3e6d6b (master) Author: Kirill Marinushkin Message: moved structure bio_buf_mem_st from headers to bss_mem.c Reviewed-by: Richard Levitte Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/6b888643105e...d3e6d6bcdfb7 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120335670 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Apr 2 21:39:44 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 02 Apr 2016 21:39:44 +0000 Subject: [openssl-commits] Build failed: openssl master.2509 Message-ID: <20160402213943.49895.31826.E6C1CB46@appveyor.com> An HTML attachment was scrubbed... URL: From builds at travis-ci.org Sat Apr 2 21:54:52 2016 From: builds at travis-ci.org (Travis CI) Date: Sat, 02 Apr 2016 21:54:52 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3193 (master - 25c7844) In-Reply-To: Message-ID: <57003fabb2956_33ff45486d55c627151@0a332f67-9cc8-402b-9ab6-f509815ce223.mail> Build Update for openssl/openssl ------------------------------------- Build: #3193 Status: Still Failing Duration: 15 minutes and 4 seconds Commit: 25c7844 (master) Author: Richard Levitte Message: Adapt some test recipes to the newer cmdstr() Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/d3e6d6bcdfb7...25c78440d21c View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120338062 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Apr 2 22:10:07 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 02 Apr 2016 22:10:07 +0000 Subject: [openssl-commits] Build failed: openssl master.2510 Message-ID: <20160402221007.49895.52107.8E0B3506@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Apr 2 22:42:05 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 02 Apr 2016 22:42:05 +0000 Subject: [openssl-commits] Build failed: openssl master.2511 Message-ID: <20160402224205.94568.50402.4185914E@appveyor.com> An HTML attachment was scrubbed... URL: From matt at openssl.org Sat Apr 2 23:25:30 2016 From: matt at openssl.org (Matt Caswell) Date: Sat, 02 Apr 2016 23:25:30 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459639530.204779.9105.nullmailer@dev.openssl.org> The branch master has been updated via aa05e7caea28d9a7142ae89a38f8fa962695c687 (commit) via a517f7fcdc85000b682b91d4cb2ab602f6f7d050 (commit) via a60e6a7af4191be89e67b925c4ee35a1f7cdd1d0 (commit) via 3fe85096bd8258b2b92dbd67c79b1be70e993012 (commit) via fbaedfdd4748bec057a39141faff6b396e25eac7 (commit) via 6e9fa57c6ddde7df49983251373a05cd663aac22 (commit) via 1258396d73cf937e4daaf2c35377011b9366f956 (commit) from 25c78440d21c814705e0e50c6e567300936aa02b (commit) - Log ----------------------------------------------------------------- commit aa05e7caea28d9a7142ae89a38f8fa962695c687 Author: Matt Caswell Date: Sat Apr 2 23:08:14 2016 +0100 Rename get/set_app_data to get0/set0_app_data Also fixed a style issue Reviewed-by: Richard Levitte Reviewed-by: Stephen Henson commit a517f7fcdc85000b682b91d4cb2ab602f6f7d050 Author: Matt Caswell Date: Sat Apr 2 19:41:41 2016 +0100 Various DSA opacity fixups Numerous fixups based on feedback of the DSA opacity changes. Reviewed-by: Richard Levitte Reviewed-by: Stephen Henson commit a60e6a7af4191be89e67b925c4ee35a1f7cdd1d0 Author: Matt Caswell Date: Fri Apr 1 15:43:17 2016 +0100 make update Reviewed-by: Richard Levitte Reviewed-by: Stephen Henson commit 3fe85096bd8258b2b92dbd67c79b1be70e993012 Author: Matt Caswell Date: Fri Apr 1 14:09:57 2016 +0100 Added DSA opacity to CHANGES Reviewed-by: Richard Levitte Reviewed-by: Stephen Henson commit fbaedfdd4748bec057a39141faff6b396e25eac7 Author: Matt Caswell Date: Thu Mar 31 14:22:39 2016 +0100 Document functions added as a result of DSA opacity changes A number of getters/setters have been added for examining DSA objects, as well as a whole set of functions for creating and buildingup DSA_METHODs. Reviewed-by: Richard Levitte Reviewed-by: Stephen Henson commit 6e9fa57c6ddde7df49983251373a05cd663aac22 Author: Matt Caswell Date: Wed Mar 30 17:18:55 2016 +0100 Make DSA_METHOD opaque Move the dsa_method structure out of the public header file, and provide getter and setter functions for creating and modifying custom DSA_METHODs. Reviewed-by: Richard Levitte Reviewed-by: Stephen Henson commit 1258396d73cf937e4daaf2c35377011b9366f956 Author: Matt Caswell Date: Wed Mar 30 15:21:39 2016 +0100 Make the DSA structure opaque Move the dsa_st structure out of the public header file. Add some accessor functions to enable access to the internal fields, and update all internal usage to use the new functions. Reviewed-by: Richard Levitte Reviewed-by: Stephen Henson ----------------------------------------------------------------------- Summary of changes: CHANGES | 5 ++ apps/dsa.c | 4 +- apps/dsaparam.c | 15 ++-- apps/gendsa.c | 4 +- apps/testdsa.h | 105 ++++++++++++++++------ apps/x509.c | 10 ++- crypto/dsa/Makefile.in | 6 +- crypto/dsa/build.info | 3 +- crypto/dsa/dsa_ameth.c | 2 +- crypto/dsa/dsa_asn1.c | 2 +- crypto/dsa/dsa_key.c | 2 +- crypto/dsa/dsa_lib.c | 73 +++++++++++++++- crypto/dsa/dsa_locl.h | 49 +++++++++++ crypto/dsa/dsa_meth.c | 197 ++++++++++++++++++++++++++++++++++++++++++ crypto/dsa/dsa_ossl.c | 2 +- crypto/dsa/dsa_sign.c | 2 +- crypto/dsa/dsa_vrf.c | 2 +- crypto/engine/eng_cryptodev.c | 105 ++++++++++++---------- crypto/pem/pvkfmt.c | 63 ++++++++++---- doc/crypto/DSA_get0_pqg.pod | 82 ++++++++++++++++++ doc/crypto/DSA_meth_new.pod | 184 +++++++++++++++++++++++++++++++++++++++ doc/crypto/DSA_set_method.pod | 47 +--------- engines/e_capi.c | 59 ++++++------- include/openssl/dsa.h | 107 ++++++++++++----------- test/dsatest.c | 12 +-- util/libcrypto.num | 36 ++++++++ 26 files changed, 940 insertions(+), 238 deletions(-) create mode 100644 crypto/dsa/dsa_meth.c create mode 100644 doc/crypto/DSA_get0_pqg.pod create mode 100644 doc/crypto/DSA_meth_new.pod diff --git a/CHANGES b/CHANGES index 8597b8a..5ac7ef5 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,11 @@ Changes between 1.0.2g and 1.1.0 [xx XXX xxxx] + *) Made DSA and DSA_METHOD opaque. The structures for managing DSA objects + have been moved out of the public header files. New functions for managing + these have been added. + [Matt Caswell] + *) Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been moved out of the public header files. New functions for managing these have been added. diff --git a/apps/dsa.c b/apps/dsa.c index ed5bf01..1c841a3 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -243,8 +243,10 @@ int dsa_main(int argc, char **argv) } if (modulus) { + BIGNUM *pub_key = NULL; + DSA_get0_key(dsa, &pub_key, NULL); BIO_printf(out, "Public Key="); - BN_print(out, dsa->pub_key); + BN_print(out, pub_key); BIO_printf(out, "\n"); } diff --git a/apps/dsaparam.c b/apps/dsaparam.c index 7b9ca63..64e92ae 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -263,14 +263,19 @@ int dsaparam_main(int argc, char **argv) } if (C) { - int len = BN_num_bytes(dsa->p); - int bits_p = BN_num_bits(dsa->p); + BIGNUM *p = NULL, *q = NULL, *g = NULL; + int len, bits_p; + + DSA_get0_pqg(dsa, &p, &q, &g); + len = BN_num_bytes(p); + bits_p = BN_num_bits(p); + unsigned char *data = app_malloc(len + 20, "BN space"); BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p); - print_bignum_var(bio_out, dsa->p, "dsap", len, data); - print_bignum_var(bio_out, dsa->q, "dsaq", len, data); - print_bignum_var(bio_out, dsa->g, "dsag", len, data); + print_bignum_var(bio_out, p, "dsap", len, data); + print_bignum_var(bio_out, q, "dsaq", len, data); + print_bignum_var(bio_out, g, "dsag", len, data); BIO_printf(bio_out, " DSA *dsa = DSA_new();\n" "\n"); BIO_printf(bio_out, " if (dsa == NULL)\n" diff --git a/apps/gendsa.c b/apps/gendsa.c index 6769968..33166b7 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -101,6 +101,7 @@ int gendsa_main(int argc, char **argv) char *outfile = NULL, *passoutarg = NULL, *passout = NULL, *prog; OPTION_CHOICE o; int ret = 1, private = 0; + BIGNUM *p = NULL; prog = opt_init(argc, argv, gendsa_options); while ((o = opt_next()) != OPT_EOF) { @@ -168,7 +169,8 @@ int gendsa_main(int argc, char **argv) BIO_printf(bio_err, "%ld semi-random bytes loaded\n", app_RAND_load_files(inrand)); - BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(dsa->p)); + DSA_get0_pqg(dsa, &p, NULL, NULL); + BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(p)); if (!DSA_generate_key(dsa)) goto end; diff --git a/apps/testdsa.h b/apps/testdsa.h index 4eb13d1..6519948 100644 --- a/apps/testdsa.h +++ b/apps/testdsa.h @@ -92,18 +92,35 @@ static unsigned char dsa512_g[] = { DSA *get_dsa512() { DSA *dsa; + BIGNUM *priv_key, *pub_key, *p, *q, *g; if ((dsa = DSA_new()) == NULL) return (NULL); - dsa->priv_key = BN_bin2bn(dsa512_priv, sizeof(dsa512_priv), NULL); - dsa->pub_key = BN_bin2bn(dsa512_pub, sizeof(dsa512_pub), NULL); - dsa->p = BN_bin2bn(dsa512_p, sizeof(dsa512_p), NULL); - dsa->q = BN_bin2bn(dsa512_q, sizeof(dsa512_q), NULL); - dsa->g = BN_bin2bn(dsa512_g, sizeof(dsa512_g), NULL); - if ((dsa->priv_key == NULL) || (dsa->pub_key == NULL) || (dsa->p == NULL) - || (dsa->q == NULL) || (dsa->g == NULL)) - return (NULL); - return (dsa); + priv_key = BN_bin2bn(dsa512_priv, sizeof(dsa512_priv), NULL); + pub_key = BN_bin2bn(dsa512_pub, sizeof(dsa512_pub), NULL); + p = BN_bin2bn(dsa512_p, sizeof(dsa512_p), NULL); + q = BN_bin2bn(dsa512_q, sizeof(dsa512_q), NULL); + g = BN_bin2bn(dsa512_g, sizeof(dsa512_g), NULL); + if ((priv_key == NULL) || (pub_key == NULL) || (p == NULL) || (q == NULL) + || (g == NULL)) { + goto err; + } + if (!DSA_set0_pqg(dsa, p, q, g)) + goto err; + p = q = g = NULL; + + if (!DSA_set0_key(dsa, pub_key, priv_key)) + goto err; + + return dsa; + err: + DSA_free(dsa); + BN_free(priv_key); + BN_free(pub_key); + BN_free(p); + BN_free(q); + BN_free(g); + return NULL; } static unsigned char dsa1024_priv[] = { @@ -161,18 +178,35 @@ static unsigned char dsa1024_g[] = { DSA *get_dsa1024() { DSA *dsa; + BIGNUM *priv_key, *pub_key, *p, *q, *g; if ((dsa = DSA_new()) == NULL) return (NULL); - dsa->priv_key = BN_bin2bn(dsa1024_priv, sizeof(dsa1024_priv), NULL); - dsa->pub_key = BN_bin2bn(dsa1024_pub, sizeof(dsa1024_pub), NULL); - dsa->p = BN_bin2bn(dsa1024_p, sizeof(dsa1024_p), NULL); - dsa->q = BN_bin2bn(dsa1024_q, sizeof(dsa1024_q), NULL); - dsa->g = BN_bin2bn(dsa1024_g, sizeof(dsa1024_g), NULL); - if ((dsa->priv_key == NULL) || (dsa->pub_key == NULL) || (dsa->p == NULL) - || (dsa->q == NULL) || (dsa->g == NULL)) - return (NULL); - return (dsa); + priv_key = BN_bin2bn(dsa1024_priv, sizeof(dsa1024_priv), NULL); + pub_key = BN_bin2bn(dsa1024_pub, sizeof(dsa1024_pub), NULL); + p = BN_bin2bn(dsa1024_p, sizeof(dsa1024_p), NULL); + q = BN_bin2bn(dsa1024_q, sizeof(dsa1024_q), NULL); + g = BN_bin2bn(dsa1024_g, sizeof(dsa1024_g), NULL); + if ((priv_key == NULL) || (pub_key == NULL) || (p == NULL) || (q == NULL) + || (g == NULL)) { + goto err; + } + if (!DSA_set0_pqg(dsa, p, q, g)) + goto err; + p = q = g = NULL; + + if (!DSA_set0_key(dsa, pub_key, priv_key)) + goto err; + + return dsa; + err: + DSA_free(dsa); + BN_free(priv_key); + BN_free(pub_key); + BN_free(p); + BN_free(q); + BN_free(g); + return NULL; } static unsigned char dsa2048_priv[] = { @@ -263,18 +297,35 @@ static unsigned char dsa2048_g[] = { DSA *get_dsa2048() { DSA *dsa; + BIGNUM *priv_key, *pub_key, *p, *q, *g; if ((dsa = DSA_new()) == NULL) return (NULL); - dsa->priv_key = BN_bin2bn(dsa2048_priv, sizeof(dsa2048_priv), NULL); - dsa->pub_key = BN_bin2bn(dsa2048_pub, sizeof(dsa2048_pub), NULL); - dsa->p = BN_bin2bn(dsa2048_p, sizeof(dsa2048_p), NULL); - dsa->q = BN_bin2bn(dsa2048_q, sizeof(dsa2048_q), NULL); - dsa->g = BN_bin2bn(dsa2048_g, sizeof(dsa2048_g), NULL); - if ((dsa->priv_key == NULL) || (dsa->pub_key == NULL) || (dsa->p == NULL) - || (dsa->q == NULL) || (dsa->g == NULL)) - return (NULL); - return (dsa); + priv_key = BN_bin2bn(dsa2048_priv, sizeof(dsa2048_priv), NULL); + pub_key = BN_bin2bn(dsa2048_pub, sizeof(dsa2048_pub), NULL); + p = BN_bin2bn(dsa2048_p, sizeof(dsa2048_p), NULL); + q = BN_bin2bn(dsa2048_q, sizeof(dsa2048_q), NULL); + g = BN_bin2bn(dsa2048_g, sizeof(dsa2048_g), NULL); + if ((priv_key == NULL) || (pub_key == NULL) || (p == NULL) || (q == NULL) + || (g == NULL)) { + goto err; + } + if (!DSA_set0_pqg(dsa, p, q, g)) + goto err; + p = q = g = NULL; + + if (!DSA_set0_key(dsa, pub_key, priv_key)) + goto err; + + return dsa; + err: + DSA_free(dsa); + BN_free(priv_key); + BN_free(pub_key); + BN_free(p); + BN_free(q); + BN_free(g); + return NULL; } static const char rnd_seed[] = diff --git a/apps/x509.c b/apps/x509.c index 66dd2ff..00c0d97 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -734,11 +734,15 @@ int x509_main(int argc, char **argv) else #endif #ifndef OPENSSL_NO_DSA - if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA) - BN_print(out, EVP_PKEY_get0_DSA(pkey)->pub_key); - else + if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA) { + BIGNUM *dsapub = NULL; + DSA_get0_key(EVP_PKEY_get0_DSA(pkey), &dsapub, NULL); + BN_print(out, dsapub); + } else #endif + { BIO_printf(out, "Wrong Algorithm type"); + } BIO_printf(out, "\n"); } else if (pubkey == i) { EVP_PKEY *pkey; diff --git a/crypto/dsa/Makefile.in b/crypto/dsa/Makefile.in index 9f38d4e..145034e 100644 --- a/crypto/dsa/Makefile.in +++ b/crypto/dsa/Makefile.in @@ -16,9 +16,11 @@ GENERAL=Makefile LIB=$(TOP)/libcrypto.a LIBSRC= dsa_gen.c dsa_key.c dsa_lib.c dsa_asn1.c dsa_vrf.c dsa_sign.c \ - dsa_err.c dsa_ossl.c dsa_depr.c dsa_ameth.c dsa_pmeth.c dsa_prn.c + dsa_err.c dsa_ossl.c dsa_depr.c dsa_ameth.c dsa_pmeth.c dsa_prn.c \ + dsa_meth.c LIBOBJ= dsa_gen.o dsa_key.o dsa_lib.o dsa_asn1.o dsa_vrf.o dsa_sign.o \ - dsa_err.o dsa_ossl.o dsa_depr.o dsa_ameth.o dsa_pmeth.o dsa_prn.o + dsa_err.o dsa_ossl.o dsa_depr.o dsa_ameth.o dsa_pmeth.o dsa_prn.o \ + dsa_meth.o SRC= $(LIBSRC) diff --git a/crypto/dsa/build.info b/crypto/dsa/build.info index 09cdd36..2e75985 100644 --- a/crypto/dsa/build.info +++ b/crypto/dsa/build.info @@ -1,4 +1,5 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ dsa_gen.c dsa_key.c dsa_lib.c dsa_asn1.c dsa_vrf.c dsa_sign.c \ - dsa_err.c dsa_ossl.c dsa_depr.c dsa_ameth.c dsa_pmeth.c dsa_prn.c + dsa_err.c dsa_ossl.c dsa_depr.c dsa_ameth.c dsa_pmeth.c dsa_prn.c \ + dsa_meth.c diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index f0f28bd..54cdb3d 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c @@ -60,7 +60,7 @@ #include "internal/cryptlib.h" #include #include -#include +#include "dsa_locl.h" #include #include #include "internal/asn1_int.h" diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c index c338b5f..1468fb1 100644 --- a/crypto/dsa/dsa_asn1.c +++ b/crypto/dsa/dsa_asn1.c @@ -58,7 +58,7 @@ #include #include "internal/cryptlib.h" -#include +#include "dsa_locl.h" #include #include #include diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index 831c2b1..4415884 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -59,7 +59,7 @@ #include #include "internal/cryptlib.h" #include -#include +#include "dsa_locl.h" #include static int dsa_builtin_keygen(DSA *dsa); diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index fa8330f..4d5281a 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -60,7 +60,7 @@ #include #include "internal/cryptlib.h" #include -#include +#include "dsa_locl.h" #include #include #include @@ -104,6 +104,11 @@ int DSA_set_method(DSA *dsa, const DSA_METHOD *meth) return 1; } +const DSA_METHOD *DSA_get_method(DSA *d) +{ + return d->meth; +} + DSA *DSA_new_method(ENGINE *engine) { DSA *ret; @@ -280,3 +285,69 @@ DH *DSA_dup_DH(const DSA *r) return NULL; } #endif + +void DSA_get0_pqg(const DSA *d, BIGNUM **p, BIGNUM **q, BIGNUM **g) +{ + if (p != NULL) + *p = d->p; + if (q != NULL) + *q = d->q; + if (g != NULL) + *g = d->g; +} + +int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) +{ + if (p == NULL || q == NULL || g == NULL) + return 0; + BN_free(d->p); + BN_free(d->q); + BN_free(d->g); + d->p = p; + d->q = q; + d->g = g; + + return 1; +} + +void DSA_get0_key(const DSA *d, BIGNUM **pub_key, BIGNUM **priv_key) +{ + if (pub_key != NULL) + *pub_key = d->pub_key; + if (priv_key != NULL) + *priv_key = d->priv_key; +} + +int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) +{ + /* Note that it is valid for priv_key to be NULL */ + if (pub_key == NULL) + return 0; + + BN_free(d->pub_key); + BN_free(d->priv_key); + d->pub_key = pub_key; + d->priv_key = priv_key; + + return 1; +} + +void DSA_clear_flags(DSA *d, int flags) +{ + d->flags &= ~flags; +} + +int DSA_test_flags(const DSA *d, int flags) +{ + return d->flags & flags; +} + +void DSA_set_flags(DSA *d, int flags) +{ + d->flags |= flags; +} + +ENGINE *DSA_get0_engine(DSA *d) +{ + return d->engine; +} diff --git a/crypto/dsa/dsa_locl.h b/crypto/dsa/dsa_locl.h index 6182495..657fbff 100644 --- a/crypto/dsa/dsa_locl.h +++ b/crypto/dsa/dsa_locl.h @@ -54,6 +54,55 @@ #include +struct dsa_st { + /* + * This first variable is used to pick up errors where a DSA is passed + * instead of of a EVP_PKEY + */ + int pad; + long version; + BIGNUM *p; + BIGNUM *q; /* == 20 */ + BIGNUM *g; + BIGNUM *pub_key; /* y public key */ + BIGNUM *priv_key; /* x private key */ + int flags; + /* Normally used to cache montgomery values */ + BN_MONT_CTX *method_mont_p; + int references; + CRYPTO_EX_DATA ex_data; + const DSA_METHOD *meth; + /* functional reference if 'meth' is ENGINE-provided */ + ENGINE *engine; + CRYPTO_RWLOCK *lock; +}; + +struct dsa_method { + char *name; + DSA_SIG *(*dsa_do_sign) (const unsigned char *dgst, int dlen, DSA *dsa); + int (*dsa_sign_setup) (DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, + BIGNUM **rp); + int (*dsa_do_verify) (const unsigned char *dgst, int dgst_len, + DSA_SIG *sig, DSA *dsa); + int (*dsa_mod_exp) (DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, + BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *in_mont); + /* Can be null */ + int (*bn_mod_exp) (DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); + int (*init) (DSA *dsa); + int (*finish) (DSA *dsa); + int flags; + void *app_data; + /* If this is non-NULL, it is used to generate DSA parameters */ + int (*dsa_paramgen) (DSA *dsa, int bits, + const unsigned char *seed, int seed_len, + int *counter_ret, unsigned long *h_ret, + BN_GENCB *cb); + /* If this is non-NULL, it is used to generate DSA keys */ + int (*dsa_keygen) (DSA *dsa); +}; + int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, const EVP_MD *evpmd, const unsigned char *seed_in, size_t seed_len, unsigned char *seed_out, diff --git a/crypto/dsa/dsa_meth.c b/crypto/dsa/dsa_meth.c new file mode 100644 index 0000000..816e35e --- /dev/null +++ b/crypto/dsa/dsa_meth.c @@ -0,0 +1,197 @@ +/* + * Licensed under the OpenSSL licenses, (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * https://www.openssl.org/source/license.html + * or in the file LICENSE in the source distribution. + */ + +#include "dsa_locl.h" +#include + +DSA_METHOD *DSA_meth_new(const char *name, int flags) +{ + DSA_METHOD *dsam = OPENSSL_zalloc(sizeof(DSA_METHOD)); + + if (dsam != NULL) { + dsam->name = OPENSSL_strdup(name); + dsam->flags = flags; + } + + return dsam; +} + +void DSA_meth_free(DSA_METHOD *dsam) +{ + if (dsam != NULL) { + if (dsam->name != NULL) + OPENSSL_free(dsam->name); + OPENSSL_free(dsam); + } +} + +DSA_METHOD *DSA_meth_dup(const DSA_METHOD *dsam) +{ + DSA_METHOD *ret; + + ret = OPENSSL_malloc(sizeof(DSA_METHOD)); + + if (ret != NULL) { + memcpy(ret, dsam, sizeof(*dsam)); + ret->name = OPENSSL_strdup(dsam->name); + } + + return ret; +} + +const char *DSA_meth_get0_name(const DSA_METHOD *dsam) +{ + return dsam->name; +} + +int DSA_meth_set1_name(DSA_METHOD *dsam, const char *name) +{ + OPENSSL_free(dsam->name); + dsam->name = OPENSSL_strdup(name); + + return dsam->name != NULL; +} + +int DSA_meth_get_flags(DSA_METHOD *dsam) +{ + return dsam->flags; +} + +int DSA_meth_set_flags(DSA_METHOD *dsam, int flags) +{ + dsam->flags = flags; + return 1; +} + +void *DSA_meth_get0_app_data(const DSA_METHOD *dsam) +{ + return dsam->app_data; +} + +int DSA_meth_set0_app_data(DSA_METHOD *dsam, void *app_data) +{ + dsam->app_data = app_data; + return 1; +} + +DSA_SIG *(*DSA_meth_get_sign(const DSA_METHOD *dsam)) + (const unsigned char *, int, DSA *) +{ + return dsam->dsa_do_sign; +} + +int DSA_meth_set_sign(DSA_METHOD *dsam, + DSA_SIG *(*sign) (const unsigned char *, int, DSA *)) +{ + dsam->dsa_do_sign = sign; + return 1; +} + +int (*DSA_meth_get_sign_setup(const DSA_METHOD *dsam)) + (DSA *, BN_CTX *, BIGNUM **, BIGNUM **) +{ + return dsam->dsa_sign_setup; +} + +int DSA_meth_set_sign_setup(DSA_METHOD *dsam, + int (*sign_setup) (DSA *, BN_CTX *, BIGNUM **, BIGNUM **)) +{ + dsam->dsa_sign_setup = sign_setup; + return 1; +} + +int (*DSA_meth_get_verify(const DSA_METHOD *dsam)) + (const unsigned char *, int , DSA_SIG *, DSA *) +{ + return dsam->dsa_do_verify; +} + +int DSA_meth_set_verify(DSA_METHOD *dsam, + int (*verify) (const unsigned char *, int, DSA_SIG *, DSA *)) +{ + dsam->dsa_do_verify = verify; + return 1; +} + +int (*DSA_meth_get_mod_exp(const DSA_METHOD *dsam)) + (DSA *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, + BN_CTX *, BN_MONT_CTX *) +{ + return dsam->dsa_mod_exp; +} + +int DSA_meth_set_mod_exp(DSA_METHOD *dsam, + int (*mod_exp) (DSA *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, + BIGNUM *, BN_CTX *, BN_MONT_CTX *)) +{ + dsam->dsa_mod_exp = mod_exp; + return 1; +} + +int (*DSA_meth_get_bn_mod_exp(const DSA_METHOD *dsam)) + (DSA *, BIGNUM *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *, + BN_MONT_CTX *) +{ + return dsam->bn_mod_exp; +} + +int DSA_meth_set_bn_mod_exp(DSA_METHOD *dsam, + int (*bn_mod_exp) (DSA *, BIGNUM *, BIGNUM *, const BIGNUM *, + const BIGNUM *, BN_CTX *, BN_MONT_CTX *)) +{ + dsam->bn_mod_exp = bn_mod_exp; + return 1; +} + +int (*DSA_meth_get_init(const DSA_METHOD *dsam))(DSA *) +{ + return dsam->init; +} + +int DSA_meth_set_init(DSA_METHOD *dsam, int (*init)(DSA *)) +{ + dsam->init = init; + return 1; +} + +int (*DSA_meth_get_finish(const DSA_METHOD *dsam)) (DSA *) +{ + return dsam->finish; +} + +int DSA_meth_set_finish(DSA_METHOD *dsam, int (*finish) (DSA *)) +{ + dsam->finish = finish; + return 1; +} + +int (*DSA_meth_get_paramgen(const DSA_METHOD *dsam)) + (DSA *, int, const unsigned char *, int, int *, unsigned long *, + BN_GENCB *) +{ + return dsam->dsa_paramgen; +} + +int DSA_meth_set_paramgen(DSA_METHOD *dsam, + int (*paramgen) (DSA *, int, const unsigned char *, int, int *, + unsigned long *, BN_GENCB *)) +{ + dsam->dsa_paramgen = paramgen; + return 1; +} + +int (*DSA_meth_get_keygen(const DSA_METHOD *dsam)) (DSA *) +{ + return dsam->dsa_keygen; +} + +int DSA_meth_set_keygen(DSA_METHOD *dsam, int (*keygen) (DSA *)) +{ + dsam->dsa_keygen = keygen; + return 1; +} diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 31a6d53..9285553 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -61,7 +61,7 @@ #include "internal/cryptlib.h" #include #include -#include +#include "dsa_locl.h" #include #include diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c index ca712cf..b9dcd5b 100644 --- a/crypto/dsa/dsa_sign.c +++ b/crypto/dsa/dsa_sign.c @@ -58,7 +58,7 @@ /* Original version from Steven Schoch */ #include "internal/cryptlib.h" -#include +#include "dsa_locl.h" #include #include diff --git a/crypto/dsa/dsa_vrf.c b/crypto/dsa/dsa_vrf.c index 6724b75..6ce9968 100644 --- a/crypto/dsa/dsa_vrf.c +++ b/crypto/dsa/dsa_vrf.c @@ -58,7 +58,7 @@ /* Original version from Steven Schoch */ #include "internal/cryptlib.h" -#include +#include "dsa_locl.h" int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index e5df8e7..bb2ce9e 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -84,6 +84,10 @@ struct dev_crypto_state { static u_int32_t cryptodev_asymfeat = 0; +#ifndef OPENSSL_NO_DSA +static DSA_METHOD *cryptodev_dsa = NULL; +#endif + static int get_asym_dev_crypto(void); static int open_dev_crypto(void); static int get_dev_crypto(void); @@ -1172,6 +1176,10 @@ static int cryptodev_engine_destroy(ENGINE *e) EVP_MD_meth_free(md5_md); md5_md = NULL; # endif +#ifndef OPENSSL_NO_DSA + DSA_meth_free(cryptodev_dsa); + cryptodev_dsa = NULL; +#endif return 1; } @@ -1399,8 +1407,11 @@ cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g, BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p, BN_CTX *ctx, BN_MONT_CTX *mont) { - BIGNUM *t2; + BIGNUM *t2, *dsag, *dsap, *dsapub_key; int ret = 0; + const DSA_METHOD *meth; + int (*bn_mod_exp)(DSA *, BIGNUM *, BIGNUM *, const BIGNUM *, const BIGNUM *, + BN_CTX *, BN_MONT_CTX *); t2 = BN_new(); if (t2 == NULL) @@ -1410,14 +1421,24 @@ cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g, /* let t1 = g ^ u1 mod p */ ret = 0; - if (!dsa->meth->bn_mod_exp(dsa, t1, dsa->g, u1, dsa->p, ctx, mont)) + DSA_get0_pqg(dsa, &dsap, NULL, &dsag); + DSA_get0_key(dsa, &dsapub_key, NULL); + + meth = DSA_get_method(dsa); + if (meth == NULL) + goto err; + bn_mod_exp = DSA_meth_get_bn_mod_exp(meth); + if (bn_mod_exp == NULL) + goto err; + + if (!bn_mod_exp(dsa, t1, dsag, u1, dsap, ctx, mont)) goto err; /* let t2 = y ^ u2 mod p */ - if (!dsa->meth->bn_mod_exp(dsa, t2, dsa->pub_key, u2, dsa->p, ctx, mont)) + if (!bn_mod_exp(dsa, t2, dsapub_key, u2, dsap, ctx, mont)) goto err; /* let u1 = t1 * t2 mod p */ - if (!BN_mod_mul(u1, t1, t2, dsa->p, ctx)) + if (!BN_mod_mul(u1, t1, t2, dsap, ctx)) goto err; BN_copy(t1, u1); @@ -1432,7 +1453,8 @@ static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { struct crypt_kop kop; - BIGNUM *r = NULL, *s = NULL; + BIGNUM *r = NULL, *s = NULL, *dsap = NULL, *dsaq = NULL, *dsag = NULL; + BIGNUM *priv_key = NULL; DSA_SIG *dsasig, *dsaret = NULL; dsasig = DSA_SIG_new(); @@ -1446,22 +1468,23 @@ static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, /* inputs: dgst dsa->p dsa->q dsa->g dsa->priv_key */ kop.crk_param[0].crp_p = (caddr_t) dgst; kop.crk_param[0].crp_nbits = dlen * 8; - if (bn2crparam(dsa->p, &kop.crk_param[1])) + DSA_get0_pqg(dsa, &dsap, &dsaq, &dsag); + DSA_get0_key(dsa, NULL, &priv_key); + if (bn2crparam(dsap, &kop.crk_param[1])) goto err; - if (bn2crparam(dsa->q, &kop.crk_param[2])) + if (bn2crparam(dsaq, &kop.crk_param[2])) goto err; - if (bn2crparam(dsa->g, &kop.crk_param[3])) + if (bn2crparam(dsag, &kop.crk_param[3])) goto err; - if (bn2crparam(dsa->priv_key, &kop.crk_param[4])) + if (bn2crparam(priv_key, &kop.crk_param[4])) goto err; kop.crk_iparams = 5; - if (cryptodev_asym(&kop, BN_num_bytes(dsa->q), r, - BN_num_bytes(dsa->q), s) == 0) { + if (cryptodev_asym(&kop, BN_num_bytes(dsaq), r, + BN_num_bytes(dsaq), s) == 0) { dsaret = dsasig; } else { - const DSA_METHOD *meth = DSA_OpenSSL(); - dsaret = (meth->dsa_do_sign) (dgst, dlen, dsa); + dsaret = DSA_meth_get_sign(DSA_OpenSSL())(dgst, dlen, dsa); } err: if (dsaret != dsasig) @@ -1477,7 +1500,7 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen, { struct crypt_kop kop; int dsaret = 1; - BIGNUM *pr, *ps; + BIGNUM *pr, *ps, *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL; memset(&kop, 0, sizeof(kop)); kop.crk_op = CRK_DSA_VERIFY; @@ -1485,13 +1508,15 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen, /* inputs: dgst dsa->p dsa->q dsa->g dsa->pub_key sig->r sig->s */ kop.crk_param[0].crp_p = (caddr_t) dgst; kop.crk_param[0].crp_nbits = dlen * 8; - if (bn2crparam(dsa->p, &kop.crk_param[1])) + DSA_get0_pqg(dsa, &p, &q, &g); + if (bn2crparam(p, &kop.crk_param[1])) goto err; - if (bn2crparam(dsa->q, &kop.crk_param[2])) + if (bn2crparam(q, &kop.crk_param[2])) goto err; - if (bn2crparam(dsa->g, &kop.crk_param[3])) + if (bn2crparam(g, &kop.crk_param[3])) goto err; - if (bn2crparam(dsa->pub_key, &kop.crk_param[4])) + DSA_get0_key(dsa, &pub_key, NULL); + if (bn2crparam(pub_key, &kop.crk_param[4])) goto err; DSA_SIG_get0(&pr, &ps, sig); if (bn2crparam(pr, &kop.crk_param[5])) @@ -1507,28 +1532,13 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen, if (0 != kop.crk_status) dsaret = 0; } else { - const DSA_METHOD *meth = DSA_OpenSSL(); - - dsaret = (meth->dsa_do_verify) (dgst, dlen, sig, dsa); + dsaret = DSA_meth_get_verify(DSA_OpenSSL())(dgst, dlen, sig, dsa); } err: kop.crk_param[0].crp_p = NULL; zapparams(&kop); return (dsaret); } - -static DSA_METHOD cryptodev_dsa = { - "cryptodev DSA method", - NULL, - NULL, /* dsa_sign_setup */ - NULL, - NULL, /* dsa_mod_exp */ - NULL, - NULL, /* init */ - NULL, /* finish */ - 0, /* flags */ - NULL /* app_data */ -}; #endif #ifndef OPENSSL_NO_DH @@ -1670,18 +1680,23 @@ void engine_load_cryptodev_internal(void) } #ifndef OPENSSL_NO_DSA - if (ENGINE_set_DSA(engine, &cryptodev_dsa)) { - const DSA_METHOD *meth = DSA_OpenSSL(); - - memcpy(&cryptodev_dsa, meth, sizeof(DSA_METHOD)); - if (cryptodev_asymfeat & CRF_DSA_SIGN) - cryptodev_dsa.dsa_do_sign = cryptodev_dsa_do_sign; - if (cryptodev_asymfeat & CRF_MOD_EXP) { - cryptodev_dsa.bn_mod_exp = cryptodev_dsa_bn_mod_exp; - cryptodev_dsa.dsa_mod_exp = cryptodev_dsa_dsa_mod_exp; + cryptodev_dsa = DSA_meth_dup(DSA_OpenSSL()); + if (cryptodev_dsa != NULL) { + DSA_meth_set1_name(cryptodev_dsa, "cryptodev DSA method"); + DSA_meth_set_flags(cryptodev_dsa, 0); + if (ENGINE_set_DSA(engine, cryptodev_dsa)) { + if (cryptodev_asymfeat & CRF_DSA_SIGN) + DSA_meth_set_sign(cryptodev_dsa, cryptodev_dsa_do_sign); + if (cryptodev_asymfeat & CRF_MOD_EXP) { + DSA_meth_set_bn_mod_exp(cryptodev_dsa, cryptodev_dsa_bn_mod_exp); + DSA_meth_set_mod_exp(cryptodev_dsa, cryptodev_dsa_dsa_mod_exp); + } + if (cryptodev_asymfeat & CRF_DSA_VERIFY) + DSA_meth_set_verify(cryptodev_dsa, cryptodev_dsa_verify); } - if (cryptodev_asymfeat & CRF_DSA_VERIFY) - cryptodev_dsa.dsa_do_verify = cryptodev_dsa_verify; + } else { + ENGINE_free(engine); + return; } #endif diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index 117d2b7..e378b57 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -289,34 +289,48 @@ static EVP_PKEY *b2i_dss(const unsigned char **in, DSA *dsa = NULL; BN_CTX *ctx = NULL; unsigned int nbyte; + BIGNUM *pbn = NULL, *qbn = NULL, *gbn = NULL, *priv_key = NULL; + BIGNUM *pub_key = NULL; + nbyte = (bitlen + 7) >> 3; dsa = DSA_new(); ret = EVP_PKEY_new(); if (dsa == NULL || ret == NULL) goto memerr; - if (!read_lebn(&p, nbyte, &dsa->p)) + if (!read_lebn(&p, nbyte, &pbn)) goto memerr; - if (!read_lebn(&p, 20, &dsa->q)) + + if (!read_lebn(&p, 20, &qbn)) goto memerr; - if (!read_lebn(&p, nbyte, &dsa->g)) + + if (!read_lebn(&p, nbyte, &gbn)) goto memerr; + if (ispub) { - if (!read_lebn(&p, nbyte, &dsa->pub_key)) + if (!read_lebn(&p, nbyte, &pub_key)) goto memerr; } else { - if (!read_lebn(&p, 20, &dsa->priv_key)) + if (!read_lebn(&p, 20, &priv_key)) goto memerr; + /* Calculate public key */ - if ((dsa->pub_key = BN_new()) == NULL) + pub_key = BN_new(); + if (pub_key == NULL) goto memerr; if ((ctx = BN_CTX_new()) == NULL) goto memerr; - if (!BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) + if (!BN_mod_exp(pub_key, gbn, priv_key, pbn, ctx)) goto memerr; + BN_CTX_free(ctx); } + if (!DSA_set0_pqg(dsa, pbn, qbn, gbn)) + goto memerr; + pbn = qbn = gbn = NULL; + if (!DSA_set0_key(dsa, pub_key, priv_key)) + goto memerr; EVP_PKEY_set1_DSA(ret, dsa); DSA_free(dsa); @@ -326,6 +340,11 @@ static EVP_PKEY *b2i_dss(const unsigned char **in, memerr: PEMerr(PEM_F_B2I_DSS, ERR_R_MALLOC_FAILURE); DSA_free(dsa); + BN_free(pbn); + BN_free(qbn); + BN_free(gbn); + BN_free(pub_key); + BN_free(priv_key); EVP_PKEY_free(ret); BN_CTX_free(ctx); return NULL; @@ -484,16 +503,20 @@ static int do_i2b_bio(BIO *out, EVP_PKEY *pk, int ispub) static int check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *pmagic) { int bitlen; - bitlen = BN_num_bits(dsa->p); - if ((bitlen & 7) || (BN_num_bits(dsa->q) != 160) - || (BN_num_bits(dsa->g) > bitlen)) + BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL; + + DSA_get0_pqg(dsa, &p, &q, &g); + DSA_get0_key(dsa, &pub_key, &priv_key); + bitlen = BN_num_bits(p); + if ((bitlen & 7) || (BN_num_bits(q) != 160) + || (BN_num_bits(g) > bitlen)) goto badkey; if (ispub) { - if (BN_num_bits(dsa->pub_key) > bitlen) + if (BN_num_bits(pub_key) > bitlen) goto badkey; *pmagic = MS_DSS1MAGIC; } else { - if (BN_num_bits(dsa->priv_key) > 160) + if (BN_num_bits(priv_key) > 160) goto badkey; *pmagic = MS_DSS2MAGIC; } @@ -555,14 +578,18 @@ static void write_rsa(unsigned char **out, RSA *rsa, int ispub) static void write_dsa(unsigned char **out, DSA *dsa, int ispub) { int nbyte; - nbyte = BN_num_bytes(dsa->p); - write_lebn(out, dsa->p, nbyte); - write_lebn(out, dsa->q, 20); - write_lebn(out, dsa->g, nbyte); + BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL; + + DSA_get0_pqg(dsa, &p, &q, &g); + DSA_get0_key(dsa, &pub_key, &priv_key); + nbyte = BN_num_bytes(p); + write_lebn(out, p, nbyte); + write_lebn(out, q, 20); + write_lebn(out, g, nbyte); if (ispub) - write_lebn(out, dsa->pub_key, nbyte); + write_lebn(out, pub_key, nbyte); else - write_lebn(out, dsa->priv_key, 20); + write_lebn(out, priv_key, 20); /* Set "invalid" for seed structure values */ memset(*out, 0xff, 24); *out += 24; diff --git a/doc/crypto/DSA_get0_pqg.pod b/doc/crypto/DSA_get0_pqg.pod new file mode 100644 index 0000000..1c835f0 --- /dev/null +++ b/doc/crypto/DSA_get0_pqg.pod @@ -0,0 +1,82 @@ +=pod + +=head1 NAME + +DSA_get0_pqg, DSA_set0_pqg, DSA_get0_key, DSA_set0_key, DSA_clear_flags, +DSA_test_flags, DSA_set_flags, DSA_get0_engine - Routines for getting and +setting data in a DSA object + +=head1 SYNOPSIS + + #include + + void DSA_get0_pqg(const DSA *d, BIGNUM **p, BIGNUM **q, BIGNUM **g); + int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g); + void DSA_get0_key(const DSA *d, BIGNUM **pub_key, BIGNUM **priv_key); + int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key); + void DSA_clear_flags(DSA *d, int flags); + int DSA_test_flags(const DSA *d, int flags); + void DSA_set_flags(DSA *d, int flags); + ENGINE *DSA_get0_engine(DSA *d); + +=head1 DESCRIPTION + +A DSA object contains the parameters B

, B and B. It also contains a +public key (B) and (optionally) a private key (B). + +The B

, B and B parameters can be obtained by calling DSA_get0_pqg(). +If the parameters have not yet been set then B<*p>, B<*q> and B<*g> will be set +to NULL. Otherwise they are set to pointers to their respective values. These +point directly to the internal representations of the values and therefore +should not be freed directly. + +The B

, B and B values can be set by calling DSA_set0_pqg() and passing +the new values for B

, B and B as parameters to the function. Calling +this function transfers the memory management of the values to the DSA object, +and therefore the values that have been passed in should not be freed directly +after this function has been called. + +To get the public and private key values use the DSA_get0_key() function. A +pointer to the public key will be stored in B<*pub_key>, and a pointer to the +private key will be stored in B<*priv_key>. Either may be NULL if they have not +been set yet, although if the private key has been set then the public key must +be. The values point to the internal representation of the public key and +private key values. This memory should not be freed directly. + +The public and private key values can be set using DSA_set0_key(). The public +key must always be non-NULL. The private key may be NULL. As for DSA_set0_pqg() +this function transfers the memory management of the key values to the DSA +object, and therefore they should not be freed directly after this function has +been called. + +DSA_set_flags() sets the flags in the B parameter on the DSA object. +Multiple flags can be passed in one go (bitwise ORed together). Any flags that +are already set are left set. DSA_test_flags() tests to see whether the flags +passed in the B parameter are currently set in the DSA object. Multiple +flags can be tested in one go. All flags that are currently set are returned, or +zero if none of the flags are set. DSA_clear_flags() clears the specified flags +within the DSA object. + +DSA_get0_engine() returns a handle to the ENGINE that has been set for this DSA +object, or NULL if no such ENGINE has been set. + +=head1 RETURN VALUES + +DSA_set0_pqg() and DSA_set0_key() return 1 on success or 0 on failure. + +DSA_test_flags() returns the current state of the flags in the DSA object. + +DSA_get0_engine() returns the ENGINE set for the DSA object or NULL if no ENGINE +has been set. + +=head1 SEE ALSO + +L, L, L, L, +L, L, L, L, +L, L, L + +=head1 HISTORY + +The functions described here were added in OpenSSL version 1.1.0. + +=cut diff --git a/doc/crypto/DSA_meth_new.pod b/doc/crypto/DSA_meth_new.pod new file mode 100644 index 0000000..84584f1 --- /dev/null +++ b/doc/crypto/DSA_meth_new.pod @@ -0,0 +1,184 @@ +=pod + +=head1 NAME + +DSA_meth_new, DSA_meth_free, DSA_meth_dup, DSA_meth_get0_name, +DSA_meth_set1_name, DSA_meth_get_flags, DSA_meth_set_flags, +DSA_meth_get0_app_data, DSA_meth_set0_app_data, DSA_meth_get_sign, +DSA_meth_set_sign, DSA_meth_get_sign_setup, DSA_meth_set_sign_setup, +DSA_meth_get_verify, DSA_meth_set_verify, DSA_meth_get_mod_exp, +DSA_meth_set_mod_exp, DSA_meth_get_bn_mod_exp, DSA_meth_set_bn_mod_exp, +DSA_meth_get_init, DSA_meth_set_init, DSA_meth_get_finish, DSA_meth_set_finish, +DSA_meth_get_paramgen, DSA_meth_set_paramgen, DSA_meth_get_keygen, +DSA_meth_set_keygen - Routines to build up DSA methods + +=head1 SYNOPSIS + + #include + + DSA_METHOD *DSA_meth_new(const char *name, int flags); + void DSA_meth_free(DSA_METHOD *dsam); + DSA_METHOD *DSA_meth_dup(const DSA_METHOD *meth); + const char *DSA_meth_get0_name(const DSA_METHOD *dsam); + int DSA_meth_set1_name(DSA_METHOD *dsam, const char *name); + int DSA_meth_get_flags(DSA_METHOD *dsam); + int DSA_meth_set_flags(DSA_METHOD *dsam, int flags); + void *DSA_meth_get0_app_data(const DSA_METHOD *dsam); + int DSA_meth_set0_app_data(DSA_METHOD *dsam, void *app_data); + DSA_SIG *(*DSA_meth_get_sign(const DSA_METHOD *dsam)) + (const unsigned char *, int, DSA *); + int DSA_meth_set_sign(DSA_METHOD *dsam, + DSA_SIG *(*sign) (const unsigned char *, int, DSA *)); + int (*DSA_meth_get_sign_setup(const DSA_METHOD *dsam)) + (DSA *, BN_CTX *, BIGNUM **, BIGNUM **); + int DSA_meth_set_sign_setup(DSA_METHOD *dsam, + int (*sign_setup) (DSA *, BN_CTX *, BIGNUM **, BIGNUM **)); + int (*DSA_meth_get_verify(const DSA_METHOD *dsam)) + (const unsigned char *, int , DSA_SIG *, DSA *); + int DSA_meth_set_verify(DSA_METHOD *dsam, + int (*verify) (const unsigned char *, int, DSA_SIG *, DSA *)); + int (*DSA_meth_get_mod_exp(const DSA_METHOD *dsam)) + (DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, + BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont); + int DSA_meth_set_mod_exp(DSA_METHOD *dsam, + int (*mod_exp) (DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, BIGNUM *a2, + BIGNUM *p2, BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *mont)); + int (*DSA_meth_get_bn_mod_exp(const DSA_METHOD *dsam)) + (DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *mont); + int DSA_meth_set_bn_mod_exp(DSA_METHOD *dsam, + int (*bn_mod_exp) (DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *mont)); + int (*DSA_meth_get_init(const DSA_METHOD *dsam))(DSA *); + int DSA_meth_set_init(DSA_METHOD *dsam, int (*init)(DSA *)); + int (*DSA_meth_get_finish(const DSA_METHOD *dsam)) (DSA *); + int DSA_meth_set_finish(DSA_METHOD *dsam, int (*finish) (DSA *)); + int (*DSA_meth_get_paramgen(const DSA_METHOD *dsam)) + (DSA *, int, const unsigned char *, int, int *, unsigned long *, + BN_GENCB *); + int DSA_meth_set_paramgen(DSA_METHOD *dsam, + int (*paramgen) (DSA *, int, const unsigned char *, int, int *, + unsigned long *, BN_GENCB *)); + int (*DSA_meth_get_keygen(const DSA_METHOD *dsam)) (DSA *); + int DSA_meth_set_keygen(DSA_METHOD *dsam, int (*keygen) (DSA *)); + +=head1 DESCRIPTION + +The B type is a structure used for the provision of custom DSA +implementations. It provides a set of of functions used by OpenSSL for the +implementation of the various DSA capabilities. See the L page for more +information. + +DSA_meth_new() creates a new B structure. It should be given a +unique B and a set of B. The B should be a NULL terminated +string, which will be duplicated and stored in the B object. It is +the callers responsibility to free the original string. The flags will be used +during the construction of a new B object based on this B. Any +new B object will have those flags set by default. + +DSA_meth_dup() creates a duplicate copy of the B object passed as a +parameter. This might be useful for creating a new B based on an +existing one, but with some differences. + +DSA_meth_free() destroys a B structure and frees up any memory +associated with it. + +DSA_meth_get0_name() will return a pointer to the name of this DSA_METHOD. This +is a pointer to the internal name string and so should not be freed by the +caller. DSA_meth_set1_name() sets the name of the DSA_METHOD to B. The +string is duplicated and the copy is stored in the DSA_METHOD structure, so the +caller remains responsible for freeing the memory associated with the name. + +DSA_meth_get_flags() returns the current value of the flags associated with this +DSA_METHOD. DSA_meth_set_flags() provides the ability to set these flags. + +The functions DSA_meth_get0_app_data() and DSA_meth_set0_app_data() provide the +ability to associate implementation specific data with the DSA_METHOD. It is +the application's responsibility to free this data before the DSA_METHOD is +freed via a call to DSA_meth_free(). + +DSA_meth_get_sign() and DSA_meth_set_sign() get and set the function used for +creating a DSA signature respectively. This function will be +called in response to the application calling DSA_do_sign() (or DSA_sign()). The +parameters for the function have the same meaning as for DSA_do_sign(). + +DSA_meth_get_sign_setup() and DSA_meth_set_sign_setup() get and set the function +used for precalculating the DSA signature values B and B. This function +will be called in response to the application calling DSA_sign_setup(). The +parameters for the function have the same meaning as for DSA_sign_setup(). + +DSA_meth_get_verify() and DSA_meth_set_verify() get and set the function used +for verifying a DSA signature respectively. This function will be called in +response to the application calling DSA_do_verify() (or DSA_verify()). The +parameters for the function have the same meaning as for DSA_do_verify(). + +DSA_meth_get_mod_exp() and DSA_meth_set_mod_exp() get and set the function used +for computing the following value: + + rr = a1^p1 * a2^p2 mod m + +This function will be called by the default OpenSSL method during verification +of a DSA signature. The result is stored in the B parameter. This function +may be NULL. + +DSA_meth_get_bn_mod_exp() and DSA_meth_set_bn_mod_exp() get and set the function +used for computing the following value: + + r = a ^ p mod m + +This function will be called by the default OpenSSL function for +DSA_sign_setup(). The result is stored in the B parameter. This function +may be NULL. + +DSA_meth_get_init() and DSA_meth_set_init() get and set the function used +for creating a new DSA instance respectively. This function will be +called in response to the application calling DSA_new() (if the current default +DSA_METHOD is this one) or DSA_new_method(). The DSA_new() and DSA_new_method() +functions will allocate the memory for the new DSA object, and a pointer to this +newly allocated structure will be passed as a parameter to the function. This +function may be NULL. + +DSA_meth_get_finish() and DSA_meth_set_finish() get and set the function used +for destroying an instance of a DSA object respectively. This function will be +called in response to the application calling DSA_free(). A pointer to the DSA +to be destroyed is passed as a parameter. The destroy function should be used +for DSA implementation specific clean up. The memory for the DSA itself should +not be freed by this function. This function may be NULL. + +DSA_meth_get_paramgen() and DSA_meth_set_paramgen() get and set the function +used for generating DSA parameters respectively. This function will be called in +response to the application calling DSA_generate_parameters_ex() (or +DSA_generate_parameters()). The parameters for the function have the same +meaning as for DSA_generate_parameters_ex(). + +DSA_meth_get_keygen() and DSA_meth_set_keygen() get and set the function +used for generating a new DSA key pair respectively. This function will be +called in response to the application calling DSA_generate_key(). The parameter +for the function has the same meaning as for DSA_generate_key(). + +=head1 RETURN VALUES + +DSA_meth_new() and DSA_meth_dup() return the newly allocated DSA_METHOD object +or NULL on failure. + +DSA_meth_get0_name() and DSA_meth_get_flags() return the name and flags +associated with the DSA_METHOD respectively. + +All other DSA_meth_get_*() functions return the appropriate function pointer +that has been set in the DSA_METHOD, or NULL if no such pointer has yet been +set. + +DSA_meth_set1_name() and all DSA_meth_set_*() functions return 1 on success or +0 on failure. + +=head1 SEE ALSO + +L, L, L, L, +L, L, L, L, +L, L, L + +=head1 HISTORY + +The functions described here were added in OpenSSL version 1.1.0. + +=cut diff --git a/doc/crypto/DSA_set_method.pod b/doc/crypto/DSA_set_method.pod index 632aadb..1d56cca 100644 --- a/doc/crypto/DSA_set_method.pod +++ b/doc/crypto/DSA_set_method.pod @@ -47,55 +47,14 @@ be released during the change. It is possible to have DSA keys that only work with certain DSA_METHOD implementations (eg. from an ENGINE module that supports embedded hardware-protected keys), and in such cases attempting to change the DSA_METHOD for the key can have unexpected -results. +results. See L for information on constructing custom DSA_METHOD +objects; DSA_new_method() allocates and initializes a DSA structure so that B will be used for the DSA operations. If B is NULL, the default engine for DSA operations is used, and if no default ENGINE is set, the DSA_METHOD controlled by DSA_set_default_method() is used. -=head1 THE DSA_METHOD STRUCTURE - -struct - { - /* name of the implementation */ - const char *name; - - /* sign */ - DSA_SIG *(*dsa_do_sign)(const unsigned char *dgst, int dlen, - DSA *dsa); - - /* pre-compute k^-1 and r */ - int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - BIGNUM **rp); - - /* verify */ - int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len, - DSA_SIG *sig, DSA *dsa); - - /* compute rr = a1^p1 * a2^p2 mod m (May be NULL for some - implementations) */ - int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, - BIGNUM *a2, BIGNUM *p2, BIGNUM *m, - BN_CTX *ctx, BN_MONT_CTX *in_mont); - - /* compute r = a ^ p mod m (May be NULL for some implementations) */ - int (*bn_mod_exp)(DSA *dsa, BIGNUM *r, BIGNUM *a, - const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx, BN_MONT_CTX *m_ctx); - - /* called at DSA_new */ - int (*init)(DSA *DSA); - - /* called at DSA_free */ - int (*finish)(DSA *DSA); - - int flags; - - char *app_data; /* ?? */ - - } DSA_METHOD; - =head1 RETURN VALUES DSA_OpenSSL() and DSA_get_default_method() return pointers to the respective @@ -113,6 +72,6 @@ fails. Otherwise it returns a pointer to the newly allocated structure. =head1 SEE ALSO -L, L +L, L, L =cut diff --git a/engines/e_capi.c b/engines/e_capi.c index 58283e5..f44acc9 100644 --- a/engines/e_capi.c +++ b/engines/e_capi.c @@ -447,20 +447,7 @@ static RSA_METHOD capi_rsa_method = { 0 /* rsa_verify */ }; -static DSA_METHOD capi_dsa_method = { - "CryptoAPI DSA method", - capi_dsa_do_sign, /* dsa_do_sign */ - 0, /* dsa_sign_setup */ - 0, /* dsa_do_verify */ - 0, /* dsa_mod_exp */ - 0, /* bn_mod_exp */ - 0, /* init */ - capi_dsa_free, /* finish */ - 0, /* flags */ - NULL, /* app_data */ - 0, /* dsa_paramgen */ - 0 /* dsa_keygen */ -}; +static DSA_METHOD *capi_dsa_method = NULL; static int use_aes_csp = 0; @@ -489,9 +476,16 @@ static int capi_init(ENGINE *e) /* Setup DSA Method */ dsa_capi_idx = DSA_get_ex_new_index(0, NULL, NULL, NULL, 0); ossl_dsa_meth = DSA_OpenSSL(); - capi_dsa_method.dsa_do_verify = ossl_dsa_meth->dsa_do_verify; - capi_dsa_method.dsa_mod_exp = ossl_dsa_meth->dsa_mod_exp; - capi_dsa_method.bn_mod_exp = ossl_dsa_meth->bn_mod_exp; + if ( !DSA_meth_set_sign(capi_dsa_method, capi_dsa_do_sign) + || !DSA_meth_set_verify(capi_dsa_method, + DSA_meth_get_verify(ossl_dsa_meth)) + || !DSA_meth_set_finish(capi_dsa_method, capi_dsa_free) + || !DSA_meth_set_mod_exp(capi_dsa_method, + DSA_meth_get_mod_exp(ossl_dsa_meth)) + || !DSA_meth_set_bn_mod_exp(capi_dsa_method, + DSA_meth_get_bn_mod_exp(ossl_dsa_meth))) { + goto memerr; + } } ctx = capi_ctx_new(); @@ -535,6 +529,8 @@ static int capi_init(ENGINE *e) static int capi_destroy(ENGINE *e) { + DSA_meth_free(capi_dsa_method); + capi_dsa_method = NULL; ERR_unload_CAPI_strings(); return 1; } @@ -564,6 +560,9 @@ struct CAPI_KEY_st { static int bind_capi(ENGINE *e) { + capi_dsa_method = DSA_meth_new("CryptoAPI DSA method", 0); + if (capi_dsa_method == NULL) + return 0; if (!ENGINE_set_id(e, engine_capi_id) || !ENGINE_set_name(e, engine_capi_name) || !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL) @@ -571,7 +570,7 @@ static int bind_capi(ENGINE *e) || !ENGINE_set_finish_function(e, capi_finish) || !ENGINE_set_destroy_function(e, capi_destroy) || !ENGINE_set_RSA(e, &capi_rsa_method) - || !ENGINE_set_DSA(e, &capi_dsa_method) + || !ENGINE_set_DSA(e, capi_dsa_method) || !ENGINE_set_load_privkey_function(e, capi_load_privkey) || !ENGINE_set_load_ssl_client_cert_function(e, capi_load_ssl_client_cert) @@ -716,6 +715,7 @@ static EVP_PKEY *capi_get_pkey(ENGINE *eng, CAPI_KEY * key) DSSPUBKEY *dp; DWORD dsa_plen; unsigned char *btmp; + BIGNUM *p, *q, *g, *pub_key; dp = (DSSPUBKEY *) (bh + 1); if (dp->magic != 0x31535344) { char magstr[10]; @@ -730,23 +730,24 @@ static EVP_PKEY *capi_get_pkey(ENGINE *eng, CAPI_KEY * key) dkey = DSA_new_method(eng); if (!dkey) goto memerr; - dkey->p = BN_new(); - dkey->q = BN_new(); - dkey->g = BN_new(); - dkey->pub_key = BN_new(); - if (dkey->p == NULL || dkey->q == NULL || dkey->g == NULL - || dkey->pub_key == NULL) + p = BN_new(); + q = BN_new(); + g = BN_new(); + pub_key = BN_new(); + if (p == NULL || q == NULL || g == NULL || pub_key == NULL) goto memerr; - if (!lend_tobn(dkey->p, btmp, dsa_plen)) + DSA_set0_pqg(dkey, p, q, g); + DSA_set0_key(dkey, pub_key, NULL); + if (!lend_tobn(p, btmp, dsa_plen)) goto memerr; btmp += dsa_plen; - if (!lend_tobn(dkey->q, btmp, 20)) + if (!lend_tobn(q, btmp, 20)) goto memerr; btmp += 20; - if (!lend_tobn(dkey->g, btmp, dsa_plen)) + if (!lend_tobn(g, btmp, dsa_plen)) goto memerr; btmp += dsa_plen; - if (!lend_tobn(dkey->pub_key, btmp, dsa_plen)) + if (!lend_tobn(pub_key, btmp, dsa_plen)) goto memerr; btmp += dsa_plen; @@ -985,7 +986,7 @@ static DSA_SIG *capi_dsa_do_sign(const unsigned char *digest, int dlen, CAPI_CTX *ctx; unsigned char csigbuf[40]; - ctx = ENGINE_get_ex_data(dsa->engine, capi_idx); + ctx = ENGINE_get_ex_data(DSA_get0_engine(dsa), capi_idx); CAPI_trace(ctx, "Called CAPI_dsa_do_sign()\n"); diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h index 240a1af..1b04584 100644 --- a/include/openssl/dsa.h +++ b/include/openssl/dsa.h @@ -74,8 +74,8 @@ extern "C" { # include # include # include +# include # if OPENSSL_API_COMPAT < 0x10100000L -# include # include # endif @@ -117,55 +117,6 @@ extern "C" { typedef struct DSA_SIG_st DSA_SIG; -struct dsa_method { - const char *name; - DSA_SIG *(*dsa_do_sign) (const unsigned char *dgst, int dlen, DSA *dsa); - int (*dsa_sign_setup) (DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - BIGNUM **rp); - int (*dsa_do_verify) (const unsigned char *dgst, int dgst_len, - DSA_SIG *sig, DSA *dsa); - int (*dsa_mod_exp) (DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, - BIGNUM *a2, BIGNUM *p2, BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *in_mont); - /* Can be null */ - int (*bn_mod_exp) (DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); - int (*init) (DSA *dsa); - int (*finish) (DSA *dsa); - int flags; - char *app_data; - /* If this is non-NULL, it is used to generate DSA parameters */ - int (*dsa_paramgen) (DSA *dsa, int bits, - const unsigned char *seed, int seed_len, - int *counter_ret, unsigned long *h_ret, - BN_GENCB *cb); - /* If this is non-NULL, it is used to generate DSA keys */ - int (*dsa_keygen) (DSA *dsa); -}; - -struct dsa_st { - /* - * This first variable is used to pick up errors where a DSA is passed - * instead of of a EVP_PKEY - */ - int pad; - long version; - BIGNUM *p; - BIGNUM *q; /* == 20 */ - BIGNUM *g; - BIGNUM *pub_key; /* y public key */ - BIGNUM *priv_key; /* x private key */ - int flags; - /* Normally used to cache montgomery values */ - BN_MONT_CTX *method_mont_p; - int references; - CRYPTO_EX_DATA ex_data; - const DSA_METHOD *meth; - /* functional reference if 'meth' is ENGINE-provided */ - ENGINE *engine; - CRYPTO_RWLOCK *lock; -}; - # define d2i_DSAparams_fp(fp,x) (DSA *)ASN1_d2i_fp((char *(*)())DSA_new, \ (char *(*)())d2i_DSAparams,(fp),(unsigned char **)(x)) # define i2d_DSAparams_fp(fp,x) ASN1_i2d_fp(i2d_DSAparams,(fp), \ @@ -189,6 +140,7 @@ const DSA_METHOD *DSA_OpenSSL(void); void DSA_set_default_method(const DSA_METHOD *); const DSA_METHOD *DSA_get_default_method(void); int DSA_set_method(DSA *dsa, const DSA_METHOD *); +const DSA_METHOD *DSA_get_method(DSA *d); DSA *DSA_new(void); DSA *DSA_new_method(ENGINE *engine); @@ -264,6 +216,61 @@ DH *DSA_dup_DH(const DSA *r); # define EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS (EVP_PKEY_ALG_CTRL + 2) # define EVP_PKEY_CTRL_DSA_PARAMGEN_MD (EVP_PKEY_ALG_CTRL + 3) +void DSA_get0_pqg(const DSA *d, BIGNUM **p, BIGNUM **q, BIGNUM **g); +int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g); +void DSA_get0_key(const DSA *d, BIGNUM **pub_key, BIGNUM **priv_key); +int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key); +void DSA_clear_flags(DSA *d, int flags); +int DSA_test_flags(const DSA *d, int flags); +void DSA_set_flags(DSA *d, int flags); +ENGINE *DSA_get0_engine(DSA *d); + +DSA_METHOD *DSA_meth_new(const char *name, int flags); +void DSA_meth_free(DSA_METHOD *dsam); +DSA_METHOD *DSA_meth_dup(const DSA_METHOD *dsam); +const char *DSA_meth_get0_name(const DSA_METHOD *dsam); +int DSA_meth_set1_name(DSA_METHOD *dsam, const char *name); +int DSA_meth_get_flags(DSA_METHOD *dsam); +int DSA_meth_set_flags(DSA_METHOD *dsam, int flags); +void *DSA_meth_get0_app_data(const DSA_METHOD *dsam); +int DSA_meth_set0_app_data(DSA_METHOD *dsam, void *app_data); +DSA_SIG *(*DSA_meth_get_sign(const DSA_METHOD *dsam)) + (const unsigned char *, int, DSA *); +int DSA_meth_set_sign(DSA_METHOD *dsam, + DSA_SIG *(*sign) (const unsigned char *, int, DSA *)); +int (*DSA_meth_get_sign_setup(const DSA_METHOD *dsam)) + (DSA *, BN_CTX *, BIGNUM **, BIGNUM **); +int DSA_meth_set_sign_setup(DSA_METHOD *dsam, + int (*sign_setup) (DSA *, BN_CTX *, BIGNUM **, BIGNUM **)); +int (*DSA_meth_get_verify(const DSA_METHOD *dsam)) + (const unsigned char *, int , DSA_SIG *, DSA *); +int DSA_meth_set_verify(DSA_METHOD *dsam, + int (*verify) (const unsigned char *, int, DSA_SIG *, DSA *)); +int (*DSA_meth_get_mod_exp(const DSA_METHOD *dsam)) + (DSA *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, + BN_CTX *, BN_MONT_CTX *); +int DSA_meth_set_mod_exp(DSA_METHOD *dsam, + int (*mod_exp) (DSA *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, + BIGNUM *, BN_CTX *, BN_MONT_CTX *)); +int (*DSA_meth_get_bn_mod_exp(const DSA_METHOD *dsam)) + (DSA *, BIGNUM *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *, + BN_MONT_CTX *); +int DSA_meth_set_bn_mod_exp(DSA_METHOD *dsam, + int (*bn_mod_exp) (DSA *, BIGNUM *, BIGNUM *, const BIGNUM *, + const BIGNUM *, BN_CTX *, BN_MONT_CTX *)); +int (*DSA_meth_get_init(const DSA_METHOD *dsam))(DSA *); +int DSA_meth_set_init(DSA_METHOD *dsam, int (*init)(DSA *)); +int (*DSA_meth_get_finish(const DSA_METHOD *dsam)) (DSA *); +int DSA_meth_set_finish(DSA_METHOD *dsam, int (*finish) (DSA *)); +int (*DSA_meth_get_paramgen(const DSA_METHOD *dsam)) + (DSA *, int, const unsigned char *, int, int *, unsigned long *, + BN_GENCB *); +int DSA_meth_set_paramgen(DSA_METHOD *dsam, + int (*paramgen) (DSA *, int, const unsigned char *, int, int *, + unsigned long *, BN_GENCB *)); +int (*DSA_meth_get_keygen(const DSA_METHOD *dsam)) (DSA *); +int DSA_meth_set_keygen(DSA_METHOD *dsam, int (*keygen) (DSA *)); + /* BEGIN ERROR CODES */ /* * The following lines are auto generated by the script mkerr.pl. Any changes diff --git a/test/dsatest.c b/test/dsatest.c index 27996ac..1945f35 100644 --- a/test/dsatest.c +++ b/test/dsatest.c @@ -133,6 +133,7 @@ int main(int argc, char **argv) unsigned long h; unsigned char sig[256]; unsigned int siglen; + BIGNUM *p = NULL, *q = NULL, *g = NULL; if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); @@ -172,34 +173,35 @@ int main(int argc, char **argv) goto end; } - i = BN_bn2bin(dsa->q, buf); + DSA_get0_pqg(dsa, &p, &q, &g); + i = BN_bn2bin(q, buf); j = sizeof(out_q); if ((i != j) || (memcmp(buf, out_q, i) != 0)) { BIO_printf(bio_err, "q value is wrong\n"); goto end; } - i = BN_bn2bin(dsa->p, buf); + i = BN_bn2bin(p, buf); j = sizeof(out_p); if ((i != j) || (memcmp(buf, out_p, i) != 0)) { BIO_printf(bio_err, "p value is wrong\n"); goto end; } - i = BN_bn2bin(dsa->g, buf); + i = BN_bn2bin(g, buf); j = sizeof(out_g); if ((i != j) || (memcmp(buf, out_g, i) != 0)) { BIO_printf(bio_err, "g value is wrong\n"); goto end; } - dsa->flags |= DSA_FLAG_NO_EXP_CONSTTIME; + DSA_set_flags(dsa, DSA_FLAG_NO_EXP_CONSTTIME); DSA_generate_key(dsa); DSA_sign(0, str1, 20, sig, &siglen, dsa); if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1) ret = 1; - dsa->flags &= ~DSA_FLAG_NO_EXP_CONSTTIME; + DSA_clear_flags(dsa, DSA_FLAG_NO_EXP_CONSTTIME); DSA_generate_key(dsa); DSA_sign(0, str1, 20, sig, &siglen, dsa); if (DSA_verify(0, str1, 20, sig, siglen, dsa) == 1) diff --git a/util/libcrypto.num b/util/libcrypto.num index 7e704d3..53ba278 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4086,3 +4086,39 @@ BIO_meth_get_destroy 3951 1_1_0 EXIST::FUNCTION: BIO_meth_get_read 3952 1_1_0 EXIST::FUNCTION: BIO_set_retry_reason 3953 1_1_0 EXIST::FUNCTION: BIO_meth_free 3954 1_1_0 EXIST::FUNCTION: +DSA_meth_set_bn_mod_exp 3955 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_set_init 3956 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_free 3957 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_set_mod_exp 3958 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_set_sign 3959 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_get_finish 3960 1_1_0 EXIST::FUNCTION:DSA +DSA_set_flags 3961 1_1_0 EXIST::FUNCTION:DSA +DSA_get0_pqg 3962 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_get_app_data 3963 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_get_keygen 3964 1_1_0 EXIST::FUNCTION:DSA +DSA_clear_flags 3965 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_get0_name 3966 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_get_paramgen 3967 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_get_sign 3968 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_set_paramgen 3969 1_1_0 EXIST::FUNCTION:DSA +DSA_test_flags 3970 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_set_app_data 3971 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_set1_name 3972 1_1_0 EXIST::FUNCTION:DSA +DSA_get0_key 3973 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_get_mod_exp 3974 1_1_0 EXIST::FUNCTION:DSA +DSA_set0_pqg 3975 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_get_flags 3976 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_get_verify 3977 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_set_verify 3978 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_set_finish 3979 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_set_keygen 3980 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_dup 3981 1_1_0 EXIST::FUNCTION:DSA +DSA_set0_key 3982 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_get_init 3983 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_set_sign_setup 3984 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_get_bn_mod_exp 3985 1_1_0 EXIST::FUNCTION:DSA +DSA_get_method 3986 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_new 3987 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_set_flags 3988 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_get_sign_setup 3989 1_1_0 EXIST::FUNCTION:DSA +DSA_get0_engine 3990 1_1_0 EXIST::FUNCTION:DSA From builds at travis-ci.org Sat Apr 2 23:49:55 2016 From: builds at travis-ci.org (Travis CI) Date: Sat, 02 Apr 2016 23:49:55 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3194 (master - aa05e7c) In-Reply-To: Message-ID: <57005aa2bc2ef_33f97d7c3817061593a@fd2259c4-c155-4914-a0c9-a423ec337c34.mail> Build Update for openssl/openssl ------------------------------------- Build: #3194 Status: Still Failing Duration: 21 minutes and 0 seconds Commit: aa05e7c (master) Author: Matt Caswell Message: Rename get/set_app_data to get0/set0_app_data Also fixed a style issue Reviewed-by: Richard Levitte Reviewed-by: Stephen Henson View the changeset: https://github.com/openssl/openssl/compare/25c78440d21c...aa05e7caea28 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120353797 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sat Apr 2 23:53:23 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sat, 02 Apr 2016 23:53:23 +0000 Subject: [openssl-commits] Build failed: openssl master.2512 Message-ID: <20160402235322.94592.43773.52B9F1B9@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Apr 3 01:32:25 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 03 Apr 2016 01:32:25 +0000 Subject: [openssl-commits] Build failed: openssl master.2513 Message-ID: <20160403013224.94580.59528.216D3521@appveyor.com> An HTML attachment was scrubbed... URL: From levitte at openssl.org Sun Apr 3 10:22:28 2016 From: levitte at openssl.org (Richard Levitte) Date: Sun, 03 Apr 2016 10:22:28 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459678948.873681.9229.nullmailer@dev.openssl.org> The branch master has been updated via 0f1ef63bf1708fbbb1ab248d455f619ce2d5b1ac (commit) from aa05e7caea28d9a7142ae89a38f8fa962695c687 (commit) - Log ----------------------------------------------------------------- commit 0f1ef63bf1708fbbb1ab248d455f619ce2d5b1ac Author: Richard Levitte Date: Sun Apr 3 09:15:19 2016 +0200 Ordinals adjustment Two renamed functions were forgotten in util/libcrypto.num Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: util/libcrypto.num | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/util/libcrypto.num b/util/libcrypto.num index 53ba278..6268a86 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4094,7 +4094,7 @@ DSA_meth_set_sign 3959 1_1_0 EXIST::FUNCTION:DSA DSA_meth_get_finish 3960 1_1_0 EXIST::FUNCTION:DSA DSA_set_flags 3961 1_1_0 EXIST::FUNCTION:DSA DSA_get0_pqg 3962 1_1_0 EXIST::FUNCTION:DSA -DSA_meth_get_app_data 3963 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_get0_app_data 3963 1_1_0 EXIST::FUNCTION:DSA DSA_meth_get_keygen 3964 1_1_0 EXIST::FUNCTION:DSA DSA_clear_flags 3965 1_1_0 EXIST::FUNCTION:DSA DSA_meth_get0_name 3966 1_1_0 EXIST::FUNCTION:DSA @@ -4102,7 +4102,7 @@ DSA_meth_get_paramgen 3967 1_1_0 EXIST::FUNCTION:DSA DSA_meth_get_sign 3968 1_1_0 EXIST::FUNCTION:DSA DSA_meth_set_paramgen 3969 1_1_0 EXIST::FUNCTION:DSA DSA_test_flags 3970 1_1_0 EXIST::FUNCTION:DSA -DSA_meth_set_app_data 3971 1_1_0 EXIST::FUNCTION:DSA +DSA_meth_set0_app_data 3971 1_1_0 EXIST::FUNCTION:DSA DSA_meth_set1_name 3972 1_1_0 EXIST::FUNCTION:DSA DSA_get0_key 3973 1_1_0 EXIST::FUNCTION:DSA DSA_meth_get_mod_exp 3974 1_1_0 EXIST::FUNCTION:DSA From builds at travis-ci.org Sun Apr 3 10:43:28 2016 From: builds at travis-ci.org (Travis CI) Date: Sun, 03 Apr 2016 10:43:28 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3196 (master - 0f1ef63) In-Reply-To: Message-ID: <5700f3d027827_33f97d7c38b4878155e@fd2259c4-c155-4914-a0c9-a423ec337c34.mail> Build Update for openssl/openssl ------------------------------------- Build: #3196 Status: Still Failing Duration: 20 minutes and 30 seconds Commit: 0f1ef63 (master) Author: Richard Levitte Message: Ordinals adjustment Two renamed functions were forgotten in util/libcrypto.num Reviewed-by: Matt Caswell View the changeset: https://github.com/openssl/openssl/compare/aa05e7caea28...0f1ef63bf170 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120406935 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Apr 3 11:17:14 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 03 Apr 2016 11:17:14 +0000 Subject: [openssl-commits] Build failed: openssl master.2514 Message-ID: <20160403111712.94592.16080.2A02516F@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Apr 3 11:34:40 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 03 Apr 2016 11:34:40 +0000 Subject: [openssl-commits] Build failed: openssl 155 Message-ID: <20160403113439.49893.9311.7414E0A2@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Apr 3 12:12:46 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 03 Apr 2016 12:12:46 +0000 Subject: [openssl-commits] Build failed: openssl master.2515 Message-ID: <20160403121246.32735.92371.D861140B@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Apr 3 13:19:36 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 03 Apr 2016 13:19:36 +0000 Subject: [openssl-commits] Build failed: openssl master.2516 Message-ID: <20160403131936.28265.48279.A98671BF@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Apr 3 13:25:11 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 03 Apr 2016 13:25:11 +0000 Subject: [openssl-commits] Build failed: openssl 156 Message-ID: <20160403132511.9990.7596.9FCF6328@appveyor.com> An HTML attachment was scrubbed... URL: From viktor at openssl.org Sun Apr 3 15:38:30 2016 From: viktor at openssl.org (Viktor Dukhovni) Date: Sun, 03 Apr 2016 15:38:30 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459697910.445585.4343.nullmailer@dev.openssl.org> The branch master has been updated via bb3bdf0507ac5c9713a7e99d8652085b2f150b06 (commit) via fbb82a60dcbe820714a246ab3e7617eaf3a7b656 (commit) via 70dd3c6593d87e4cbb56b485717cb2cfff730f3e (commit) from 0f1ef63bf1708fbbb1ab248d455f619ce2d5b1ac (commit) - Log ----------------------------------------------------------------- commit bb3bdf0507ac5c9713a7e99d8652085b2f150b06 Author: Viktor Dukhovni Date: Sun Mar 20 04:12:52 2016 -0400 make update Reviewed-by: Dr. Stephen Henson commit fbb82a60dcbe820714a246ab3e7617eaf3a7b656 Author: Viktor Dukhovni Date: Fri Mar 18 22:09:41 2016 -0400 Move peer chain security checks into x509_vfy.c A new X509_VERIFY_PARAM_set_auth_level() function sets the authentication security level. For verification of SSL peers, this is automatically set from the SSL security level. Otherwise, for now, the authentication security level remains at (effectively) 0 by default. The new "-auth_level" verify(1) option is available in all the command-line tools that support the standard verify(1) options. New verify(1) tests added to check enforcement of chain signature and public key security levels. Also added new tests of enforcement of the verify_depth limit. Updated documentation. Reviewed-by: Dr. Stephen Henson commit 70dd3c6593d87e4cbb56b485717cb2cfff730f3e Author: Viktor Dukhovni Date: Sat Feb 27 14:17:28 2016 -0500 Tidy up x509_vfy callback handling Reviewed-by: Dr. Stephen Henson ----------------------------------------------------------------------- Summary of changes: apps/apps.h | 8 +- apps/opt.c | 5 + crypto/x509/x509_lcl.h | 4 +- crypto/x509/x509_lu.c | 4 +- crypto/x509/x509_txt.c | 6 + crypto/x509/x509_vfy.c | 661 ++++++++++++---------- crypto/x509/x509_vpm.c | 17 + doc/apps/cms.pod | 5 +- doc/apps/ocsp.pod | 7 +- doc/apps/s_client.pod | 5 +- doc/apps/s_server.pod | 5 +- doc/apps/smime.pod | 5 +- doc/apps/ts.pod | 21 +- doc/apps/verify.pod | 24 +- doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 42 +- include/openssl/x509_vfy.h | 7 +- ssl/ssl_cert.c | 25 +- test/certs/ca-cert-768.pem | 15 + test/certs/ca-cert-768i.pem | 15 + test/certs/{ca+anyEKU.pem => ca-cert-md5-any.pem} | 16 +- test/certs/{ca-cert.pem => ca-cert-md5.pem} | 16 +- test/certs/ca-key-768.pem | 13 + test/certs/ee-cert-768.pem | 16 + test/certs/{ee-cert2.pem => ee-cert-768i.pem} | 15 +- test/certs/{ee-cert.pem => ee-cert-md5.pem} | 16 +- test/certs/ee-key-768.pem | 13 + test/certs/mkcert.sh | 10 +- test/certs/root-cert-768.pem | 11 + test/certs/{root-cert.pem => root-cert-md5.pem} | 16 +- test/certs/root-key-768.pem | 13 + test/certs/setup.sh | 30 + test/recipes/25-test_verify.t | 48 +- util/libcrypto.num | 2 + 33 files changed, 714 insertions(+), 402 deletions(-) create mode 100644 test/certs/ca-cert-768.pem create mode 100644 test/certs/ca-cert-768i.pem copy test/certs/{ca+anyEKU.pem => ca-cert-md5-any.pem} (54%) copy test/certs/{ca-cert.pem => ca-cert-md5.pem} (54%) create mode 100644 test/certs/ca-key-768.pem create mode 100644 test/certs/ee-cert-768.pem copy test/certs/{ee-cert2.pem => ee-cert-768i.pem} (50%) copy test/certs/{ee-cert.pem => ee-cert-md5.pem} (56%) create mode 100644 test/certs/ee-key-768.pem create mode 100644 test/certs/root-cert-768.pem copy test/certs/{root-cert.pem => root-cert-md5.pem} (53%) create mode 100644 test/certs/root-key-768.pem diff --git a/apps/apps.h b/apps/apps.h index 434ca54..a310dd2 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -180,6 +180,7 @@ void wait_for_async(SSL *s); OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \ OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \ OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \ + OPT_V_VERIFY_AUTH_LEVEL, \ OPT_V__LAST # define OPT_V_OPTIONS \ @@ -187,8 +188,10 @@ void wait_for_async(SSL *s); { "purpose", OPT_V_PURPOSE, 's', \ "certificate chain purpose"}, \ { "verify_name", OPT_V_VERIFY_NAME, 's', "verification policy name"}, \ - { "verify_depth", OPT_V_VERIFY_DEPTH, 'p', \ - "chain depth limit"}, \ + { "verify_depth", OPT_V_VERIFY_DEPTH, 'n', \ + "chain depth limit" }, \ + { "auth_level", OPT_V_VERIFY_AUTH_LEVEL, 'n', \ + "chain authentication security level" }, \ { "attime", OPT_V_ATTIME, 'M', "verification epoch time" }, \ { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', \ "expected peer hostname" }, \ @@ -235,6 +238,7 @@ void wait_for_async(SSL *s); case OPT_V_PURPOSE: \ case OPT_V_VERIFY_NAME: \ case OPT_V_VERIFY_DEPTH: \ + case OPT_V_VERIFY_AUTH_LEVEL: \ case OPT_V_ATTIME: \ case OPT_V_VERIFY_HOSTNAME: \ case OPT_V_VERIFY_EMAIL: \ diff --git a/apps/opt.c b/apps/opt.c index af994bb..462894a 100644 --- a/apps/opt.c +++ b/apps/opt.c @@ -526,6 +526,11 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm) if (i >= 0) X509_VERIFY_PARAM_set_depth(vpm, i); break; + case OPT_V_VERIFY_AUTH_LEVEL: + i = atoi(opt_arg()); + if (i >= 0) + X509_VERIFY_PARAM_set_auth_level(vpm, i); + break; case OPT_V_ATTIME: if (!opt_imax(opt_arg(), &t)) return 0; diff --git a/crypto/x509/x509_lcl.h b/crypto/x509/x509_lcl.h index ad29ec3..603c177 100644 --- a/crypto/x509/x509_lcl.h +++ b/crypto/x509/x509_lcl.h @@ -70,6 +70,7 @@ struct X509_VERIFY_PARAM_st { int purpose; /* purpose to check untrusted certificates */ int trust; /* trust setting to check */ int depth; /* Verify depth */ + int auth_level; /* Security level for chain verification */ STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */ /* Peer identity details */ STACK_OF(OPENSSL_STRING) *hosts; /* Set of acceptable names */ @@ -81,7 +82,8 @@ struct X509_VERIFY_PARAM_st { size_t iplen; /* Length of IP address */ }; -int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet); +/* No error callback if depth < 0 */ +int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth); /* a sequence of these are used */ struct x509_attributes_st { diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index 3b0daf1..f9802c5 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -630,7 +630,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) } /* If certificate matches all OK */ if (ctx->check_issued(ctx, x, obj.data.x509)) { - if (x509_check_cert_time(ctx, obj.data.x509, 1)) { + if (x509_check_cert_time(ctx, obj.data.x509, -1)) { *issuer = obj.data.x509; return 1; } @@ -661,7 +661,7 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) * match if no certificate time is OK. */ - if (x509_check_cert_time(ctx, *issuer, 1)) + if (x509_check_cert_time(ctx, *issuer, -1)) break; } } diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index f7f27e9..8a9a7f0 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -203,6 +203,12 @@ const char *X509_verify_cert_error_string(long n) return ("IP address mismatch"); case X509_V_ERR_DANE_NO_MATCH: return ("No matching DANE TLSA records"); + case X509_V_ERR_EE_KEY_TOO_SMALL: + return ("EE certificate key too weak"); + case X509_V_ERR_CA_KEY_TOO_SMALL: + return ("CA certificate key too weak"); + case X509_V_ERR_CA_MD_TOO_WEAK: + return ("CA signature digest algorithm too weak"); default: /* Printing an error number into a static buffer is not thread-safe */ diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index ffa211b..10fbeef 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -126,6 +126,8 @@ static int check_cert(X509_STORE_CTX *ctx); static int check_policy(X509_STORE_CTX *ctx); static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); static int check_dane_issuer(X509_STORE_CTX *ctx, int depth); +static int check_key_level(X509_STORE_CTX *ctx, X509 *cert); +static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert); static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, unsigned int *preasons, X509_CRL *crl, X509 *x); @@ -190,6 +192,66 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) return xtmp; } +/*- + * Inform the verify callback of an error. + * If B is not NULL it is the error cert, otherwise use the chain cert at + * B. + * If B is not X509_V_OK, that's the error value, otherwise leave + * unchanged (presumably set by the caller). + * + * Returns 0 to abort verification with an error, non-zero to continue. + */ +static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err) +{ + ctx->error_depth = depth; + ctx->current_cert = (x != NULL) ? x : sk_X509_value(ctx->chain, depth); + if (err != X509_V_OK) + ctx->error = err; + return ctx->verify_cb(0, ctx); +} + +/*- + * Inform the verify callback of an error, CRL-specific variant. Here, the + * error depth and certificate are already set, we just specify the error + * number. + * + * Returns 0 to abort verification with an error, non-zero to continue. + */ +static int verify_cb_crl(X509_STORE_CTX *ctx, int err) +{ + ctx->error = err; + return ctx->verify_cb(0, ctx); +} + +static int check_auth_level(X509_STORE_CTX *ctx) +{ + int i; + int num = sk_X509_num(ctx->chain); + + if (ctx->param->auth_level <= 0) + return 1; + + for (i = 0; i < num; ++i) { + X509 *cert = sk_X509_value(ctx->chain, i); + + /* + * We've already checked the security of the leaf key, so here we only + * check the security of issuer keys. + */ + if (i > 0 && !check_key_level(ctx, cert) && + verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_KEY_TOO_SMALL) == 0) + return 0; + /* + * We also check the signature algorithm security of all certificates + * except those of the trust anchor at index num-1. + */ + if (i < num - 1 && !check_sig_level(ctx, cert) && + verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_MD_TOO_WEAK) == 0) + return 0; + } + return 1; +} + static int verify_chain(X509_STORE_CTX *ctx) { int err; @@ -201,6 +263,7 @@ static int verify_chain(X509_STORE_CTX *ctx) */ if ((ok = build_chain(ctx)) == 0 || (ok = check_chain_extensions(ctx)) == 0 || + (ok = check_auth_level(ctx)) == 0 || (ok = check_name_constraints(ctx)) == 0 || (ok = check_id(ctx)) == 0 || 1) X509_get_pubkey_parameters(NULL, ctx->chain); @@ -210,9 +273,7 @@ static int verify_chain(X509_STORE_CTX *ctx) err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain, ctx->param->flags); if (err != X509_V_OK) { - ctx->error = err; - ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth); - if ((ok = ctx->verify_cb(0, ctx)) == 0) + if ((ok = verify_cb_cert(ctx, NULL, ctx->error_depth, err)) == 0) return ok; } @@ -265,6 +326,11 @@ int X509_verify_cert(X509_STORE_CTX *ctx) X509_up_ref(ctx->cert); ctx->num_untrusted = 1; + /* If the peer's public key is too weak, we can stop early. */ + if (!check_key_level(ctx, ctx->cert) && + !verify_cb_cert(ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL)) + return 0; + /* * If dane->trecs is an empty stack, we'll fail, since the user enabled * DANE. If none of the TLSA records were usable, and it makes sense to @@ -279,20 +345,19 @@ int X509_verify_cert(X509_STORE_CTX *ctx) /* * Given a STACK_OF(X509) find the issuer of cert (if any) */ - static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { int i; - X509 *issuer, *rv = NULL;; + for (i = 0; i < sk_X509_num(sk); i++) { - issuer = sk_X509_value(sk, i); - if (ctx->check_issued(ctx, x, issuer)) { - rv = issuer; - if (x509_check_cert_time(ctx, rv, 1)) - break; - } + X509 *issuer = sk_X509_value(sk, i); + + if (!ctx->check_issued(ctx, x, issuer)) + continue; + if (x509_check_cert_time(ctx, issuer, -1)) + return issuer; } - return rv; + return NULL; } /* Given a possible certificate and issuer check them */ @@ -401,10 +466,7 @@ static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth, break; } - ctx->error = X509_V_ERR_INVALID_PURPOSE; - ctx->error_depth = depth; - ctx->current_cert = x; - return ctx->verify_cb(0, ctx); + return verify_cb_cert(ctx, x, depth, X509_V_ERR_INVALID_PURPOSE); } /* @@ -453,17 +515,13 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) x = sk_X509_value(ctx->chain, i); if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) && (x->ex_flags & EXFLAG_CRITICAL)) { - ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; - ctx->error_depth = i; - ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) + if (!verify_cb_cert(ctx, x, i, + X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION)) return 0; } if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { - ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; - ctx->error_depth = i; - ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) + if (!verify_cb_cert(ctx, x, i, + X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED)) return 0; } ret = X509_check_ca(x); @@ -494,24 +552,16 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ret = 1; break; } - if (ret == 0) { - ctx->error_depth = i; - ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) - return 0; - } - if (purpose > 0) { - if (!check_purpose(ctx, x, purpose, i, must_be_ca)) - return 0; - } + if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK)) + return 0; + /* check_purpose() makes the callback as needed */ + if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca)) + return 0; /* Check pathlen if not self issued */ if ((i > 1) && !(x->ex_flags & EXFLAG_SI) && (x->ex_pathlen != -1) && (plen > (x->ex_pathlen + proxy_path_length + 1))) { - ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; - ctx->error_depth = i; - ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) + if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED)) return 0; } /* Increment path length if not self issued */ @@ -524,10 +574,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) */ if (x->ex_flags & EXFLAG_PROXY) { if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) { - ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; - ctx->error_depth = i; - ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) + if (!verify_cb_cert(ctx, x, i, + X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED)) return 0; } proxy_path_length++; @@ -540,11 +588,13 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) static int check_name_constraints(X509_STORE_CTX *ctx) { - X509 *x; - int i, j, rv; + int i; + /* Check name constraints for all certificates */ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) { - x = sk_X509_value(ctx->chain, i); + X509 *x = sk_X509_value(ctx->chain, i); + int j; + /* Ignore self issued certs unless last in chain */ if (i && (x->ex_flags & EXFLAG_SI)) continue; @@ -556,15 +606,12 @@ static int check_name_constraints(X509_STORE_CTX *ctx) */ for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) { NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; + if (nc) { - rv = NAME_CONSTRAINTS_check(x, nc); - if (rv != X509_V_OK) { - ctx->error = rv; - ctx->error_depth = i; - ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) - return 0; - } + int rv = NAME_CONSTRAINTS_check(x, nc); + + if (rv != X509_V_OK && !verify_cb_cert(ctx, x, i, rv)) + return 0; } } } @@ -573,10 +620,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx) static int check_id_error(X509_STORE_CTX *ctx, int errcode) { - ctx->error = errcode; - ctx->current_cert = ctx->cert; - ctx->error_depth = 0; - return ctx->verify_cb(0, ctx); + return verify_cb_cert(ctx, ctx->cert, 0, errcode); } static int check_hosts(X509 *x, X509_VERIFY_PARAM *vpm) @@ -618,7 +662,7 @@ static int check_id(X509_STORE_CTX *ctx) static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) { - int i, ok = 0; + int i; X509 *x = NULL; X509 *mx; struct dane_st *dane = (struct dane_st *)ctx->dane; @@ -698,11 +742,7 @@ static int check_trust(X509_STORE_CTX *ctx, int num_untrusted) return X509_TRUST_UNTRUSTED; rejected: - ctx->error_depth = i; - ctx->current_cert = x; - ctx->error = X509_V_ERR_CERT_REJECTED; - ok = ctx->verify_cb(0, ctx); - if (!ok) + if (!verify_cb_cert(ctx, x, i, X509_V_ERR_CERT_REJECTED)) return X509_TRUST_REJECTED; return X509_TRUST_UNTRUSTED; @@ -742,17 +782,18 @@ static int check_revocation(X509_STORE_CTX *ctx) static int check_cert(X509_STORE_CTX *ctx) { X509_CRL *crl = NULL, *dcrl = NULL; - X509 *x = NULL; - int ok = 0, cnum = 0; - unsigned int last_reasons = 0; - cnum = ctx->error_depth; - x = sk_X509_value(ctx->chain, cnum); + int ok = 0; + int cnum = ctx->error_depth; + X509 *x = sk_X509_value(ctx->chain, cnum); + ctx->current_cert = x; ctx->current_issuer = NULL; ctx->current_crl_score = 0; ctx->current_reasons = 0; + while (ctx->current_reasons != CRLDP_ALL_REASONS) { - last_reasons = ctx->current_reasons; + unsigned int last_reasons = ctx->current_reasons; + /* Try to retrieve relevant CRL */ if (ctx->get_crl) ok = ctx->get_crl(ctx, &crl, x); @@ -762,22 +803,21 @@ static int check_cert(X509_STORE_CTX *ctx) * If error looking up CRL, nothing we can do except notify callback */ if (!ok) { - ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; - ok = ctx->verify_cb(0, ctx); - goto err; + ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL); + goto done; } ctx->current_crl = crl; ok = ctx->check_crl(ctx, crl); if (!ok) - goto err; + goto done; if (dcrl) { ok = ctx->check_crl(ctx, dcrl); if (!ok) - goto err; + goto done; ok = ctx->cert_crl(ctx, dcrl, x); if (!ok) - goto err; + goto done; } else ok = 1; @@ -785,7 +825,7 @@ static int check_cert(X509_STORE_CTX *ctx) if (ok != 2) { ok = ctx->cert_crl(ctx, crl, x); if (!ok) - goto err; + goto done; } X509_CRL_free(crl); @@ -797,18 +837,16 @@ static int check_cert(X509_STORE_CTX *ctx) * so exit loop. */ if (last_reasons == ctx->current_reasons) { - ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; - ok = ctx->verify_cb(0, ctx); - goto err; + ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL); + goto done; } } - err: + done: X509_CRL_free(crl); X509_CRL_free(dcrl); ctx->current_crl = NULL; return ok; - } /* Check CRL times against values in X509_STORE_CTX */ @@ -817,6 +855,7 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { time_t *ptime; int i; + if (notify) ctx->current_crl = crl; if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) @@ -830,16 +869,14 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) if (i == 0) { if (!notify) return 0; - ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; - if (!ctx->verify_cb(0, ctx)) + if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD)) return 0; } if (i > 0) { if (!notify) return 0; - ctx->error = X509_V_ERR_CRL_NOT_YET_VALID; - if (!ctx->verify_cb(0, ctx)) + if (!verify_cb_crl(ctx, X509_V_ERR_CRL_NOT_YET_VALID)) return 0; } @@ -849,16 +886,14 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) if (i == 0) { if (!notify) return 0; - ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; - if (!ctx->verify_cb(0, ctx)) + if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD)) return 0; } /* Ignore expiry of base CRL is delta is valid */ if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { if (!notify) return 0; - ctx->error = X509_V_ERR_CRL_HAS_EXPIRED; - if (!ctx->verify_cb(0, ctx)) + if (!verify_cb_crl(ctx, X509_V_ERR_CRL_HAS_EXPIRED)) return 0; } } @@ -1138,6 +1173,7 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) { X509_STORE_CTX crl_ctx; int ret; + /* Don't allow recursive CRL path validation */ if (ctx->parent) return 0; @@ -1153,12 +1189,10 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) /* Verify CRL issuer */ ret = X509_verify_cert(&crl_ctx); - if (ret <= 0) goto err; /* Check chain is acceptable */ - ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); err: X509_STORE_CTX_cleanup(&crl_ctx); @@ -1315,10 +1349,10 @@ static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL *crl = NULL, *dcrl = NULL; STACK_OF(X509_CRL) *skcrl; X509_NAME *nm = X509_get_issuer_name(x); + reasons = ctx->current_reasons; ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, ctx->crls); - if (ok) goto done; @@ -1335,7 +1369,6 @@ static int get_crl_delta(X509_STORE_CTX *ctx, sk_X509_CRL_pop_free(skcrl, X509_CRL_free); done: - /* If we got any kind of CRL use it and return success */ if (crl) { ctx->current_issuer = issuer; @@ -1345,7 +1378,6 @@ static int get_crl_delta(X509_STORE_CTX *ctx, *pdcrl = dcrl; return 1; } - return 0; } @@ -1354,13 +1386,12 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) { X509 *issuer = NULL; EVP_PKEY *ikey = NULL; - int ok = 0, chnum, cnum; - cnum = ctx->error_depth; - chnum = sk_X509_num(ctx->chain) - 1; + int cnum = ctx->error_depth; + int chnum = sk_X509_num(ctx->chain) - 1; + /* if we have an alternative CRL issuer cert use that */ if (ctx->current_issuer) issuer = ctx->current_issuer; - /* * Else find CRL issuer: if not last certificate then issuer is next * certificate in chain. @@ -1370,120 +1401,85 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) else { issuer = sk_X509_value(ctx->chain, chnum); /* If not self signed, can't check signature */ - if (!ctx->check_issued(ctx, issuer, issuer)) { - ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; - ok = ctx->verify_cb(0, ctx); - if (!ok) - goto err; - } + if (!ctx->check_issued(ctx, issuer, issuer) && + !verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER)) + return 0; } - if (issuer) { - /* - * Skip most tests for deltas because they have already been done - */ - if (!crl->base_crl_number) { - /* Check for cRLSign bit if keyUsage present */ - if ((issuer->ex_flags & EXFLAG_KUSAGE) && - !(issuer->ex_kusage & KU_CRL_SIGN)) { - ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; - ok = ctx->verify_cb(0, ctx); - if (!ok) - goto err; - } + if (issuer == NULL) + return 1; - if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { - ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; - ok = ctx->verify_cb(0, ctx); - if (!ok) - goto err; - } + /* + * Skip most tests for deltas because they have already been done + */ + if (!crl->base_crl_number) { + /* Check for cRLSign bit if keyUsage present */ + if ((issuer->ex_flags & EXFLAG_KUSAGE) && + !(issuer->ex_kusage & KU_CRL_SIGN) && + !verify_cb_crl(ctx, X509_V_ERR_KEYUSAGE_NO_CRL_SIGN)) + return 0; - if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) { - if (check_crl_path(ctx, ctx->current_issuer) <= 0) { - ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; - ok = ctx->verify_cb(0, ctx); - if (!ok) - goto err; - } - } + if (!(ctx->current_crl_score & CRL_SCORE_SCOPE) && + !verify_cb_crl(ctx, X509_V_ERR_DIFFERENT_CRL_SCOPE)) + return 0; - if (crl->idp_flags & IDP_INVALID) { - ctx->error = X509_V_ERR_INVALID_EXTENSION; - ok = ctx->verify_cb(0, ctx); - if (!ok) - goto err; - } + if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH) && + check_crl_path(ctx, ctx->current_issuer) <= 0 && + !verify_cb_crl(ctx, X509_V_ERR_CRL_PATH_VALIDATION_ERROR)) + return 0; - } + if ((crl->idp_flags & IDP_INVALID) && + !verify_cb_crl(ctx, X509_V_ERR_INVALID_EXTENSION)) + return 0; + } - if (!(ctx->current_crl_score & CRL_SCORE_TIME)) { - ok = check_crl_time(ctx, crl, 1); - if (!ok) - goto err; - } + if (!(ctx->current_crl_score & CRL_SCORE_TIME) && + !check_crl_time(ctx, crl, 1)) + return 0; - /* Attempt to get issuer certificate public key */ - ikey = X509_get0_pubkey(issuer); + /* Attempt to get issuer certificate public key */ + ikey = X509_get0_pubkey(issuer); - if (!ikey) { - ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; - ok = ctx->verify_cb(0, ctx); - if (!ok) - goto err; - } else { - int rv; - rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags); - if (rv != X509_V_OK) { - ctx->error = rv; - ok = ctx->verify_cb(0, ctx); - if (!ok) - goto err; - } - /* Verify CRL signature */ - if (X509_CRL_verify(crl, ikey) <= 0) { - ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE; - ok = ctx->verify_cb(0, ctx); - if (!ok) - goto err; - } - } - } + if (!ikey && + !verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) + return 0; - ok = 1; + if (ikey) { + int rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags); - err: - return ok; + if (rv != X509_V_OK && !verify_cb_crl(ctx, rv)) + return 0; + /* Verify CRL signature */ + if (X509_CRL_verify(crl, ikey) <= 0 && + !verify_cb_crl(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE)) + return 0; + } + return 1; } /* Check certificate against CRL */ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { - int ok; X509_REVOKED *rev; + /* * The rules changed for this... previously if a CRL contained unhandled * critical extensions it could still be used to indicate a certificate - * was revoked. This has since been changed since critical extension can + * was revoked. This has since been changed since critical extensions can * change the meaning of CRL entries. */ if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) - && (crl->flags & EXFLAG_CRITICAL)) { - ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; - ok = ctx->verify_cb(0, ctx); - if (!ok) - return 0; - } + && (crl->flags & EXFLAG_CRITICAL) && + !verify_cb_crl(ctx, X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION)) + return 0; /* - * Look for serial number of certificate in CRL If found make sure reason - * is not removeFromCRL. + * Look for serial number of certificate in CRL. If found, make sure + * reason is not removeFromCRL. */ if (X509_CRL_get0_by_cert(crl, &rev, x)) { if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) return 2; - ctx->error = X509_V_ERR_CERT_REVOKED; - ok = ctx->verify_cb(0, ctx); - if (!ok) + if (!verify_cb_crl(ctx, X509_V_ERR_CERT_REVOKED)) return 0; } @@ -1522,18 +1518,16 @@ static int check_policy(X509_STORE_CTX *ctx) } /* Invalid or inconsistent extensions */ if (ret == X509_PCY_TREE_INVALID) { - /* - * Locate certificates with bad extensions and notify callback. - */ - X509 *x; int i; + + /* Locate certificates with bad extensions and notify callback. */ for (i = 1; i < sk_X509_num(ctx->chain); i++) { - x = sk_X509_value(ctx->chain, i); + X509 *x = sk_X509_value(ctx->chain, i); + if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) continue; - ctx->current_cert = x; - ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; - if (!ctx->verify_cb(0, ctx)) + if (!verify_cb_cert(ctx, x, i, + X509_V_ERR_INVALID_POLICY_EXTENSION)) return 0; } return 1; @@ -1558,7 +1552,14 @@ static int check_policy(X509_STORE_CTX *ctx) return 1; } -int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet) +/*- + * Check certificate validity times. + * If depth >= 0, invoke verification callbacks on error, otherwise just return + * the validation status. + * + * Return 1 on success, 0 otherwise. + */ +int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) { time_t *ptime; int i; @@ -1571,55 +1572,30 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet) ptime = NULL; i = X509_cmp_time(X509_get_notBefore(x), ptime); - if (i == 0) { - if (quiet) - return 0; - ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; - ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) - return 0; - } - - if (i > 0) { - if (quiet) - return 0; - ctx->error = X509_V_ERR_CERT_NOT_YET_VALID; - ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) - return 0; - } + if (i >= 0 && depth < 0) + return 0; + if (i == 0 && !verify_cb_cert(ctx, x, depth, + X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD)) + return 0; + if (i > 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_NOT_YET_VALID)) + return 0; i = X509_cmp_time(X509_get_notAfter(x), ptime); - if (i == 0) { - if (quiet) - return 0; - ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; - ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) - return 0; - } - - if (i < 0) { - if (quiet) - return 0; - ctx->error = X509_V_ERR_CERT_HAS_EXPIRED; - ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) - return 0; - } - + if (i <= 0 && depth < 0) + return 0; + if (i == 0 && !verify_cb_cert(ctx, x, depth, + X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD)) + return 0; + if (i < 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_HAS_EXPIRED)) + return 0; return 1; } static int internal_verify(X509_STORE_CTX *ctx) { - int ok = 0, n; - X509 *xs, *xi; - EVP_PKEY *pkey = NULL; - - n = sk_X509_num(ctx->chain) - 1; - ctx->error_depth = n; - xi = sk_X509_value(ctx->chain, n); + int n = sk_X509_num(ctx->chain) - 1; + X509 *xi = sk_X509_value(ctx->chain, n); + X509 *xs; /* * With DANE-verified bare public key TA signatures, it remains only to @@ -1639,16 +1615,12 @@ static int internal_verify(X509_STORE_CTX *ctx) xs = xi; goto check_cert; } - if (n <= 0) { - ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; - ctx->current_cert = xi; - ok = ctx->verify_cb(0, ctx); - goto end; - } else { - n--; - ctx->error_depth = n; - xs = sk_X509_value(ctx->chain, n); - } + if (n <= 0) + return verify_cb_cert(ctx, xi, 0, + X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE); + n--; + ctx->error_depth = n; + xs = sk_X509_value(ctx->chain, n); } /* @@ -1656,50 +1628,47 @@ static int internal_verify(X509_STORE_CTX *ctx) * is allowed to reset errors (at its own peril). */ while (n >= 0) { - ctx->error_depth = n; + EVP_PKEY *pkey; /* - * Skip signature check for self signed certificates unless - * explicitly asked for. It doesn't add any security and just wastes - * time. + * Skip signature check for self signed certificates unless explicitly + * asked for. It doesn't add any security and just wastes time. If + * the issuer's public key is unusable, report the issuer certificate + * and its depth (rather than the depth of the subject). */ if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) { if ((pkey = X509_get0_pubkey(xi)) == NULL) { - ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; - ctx->current_cert = xi; - ok = ctx->verify_cb(0, ctx); - if (!ok) - goto end; + if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n, + X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) + return 0; } else if (X509_verify(xs, pkey) <= 0) { - ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE; - ctx->current_cert = xs; - ok = ctx->verify_cb(0, ctx); - if (!ok) - goto end; + if (!verify_cb_cert(ctx, xs, n, + X509_V_ERR_CERT_SIGNATURE_FAILURE)) + return 0; } } check_cert: - ok = x509_check_cert_time(ctx, xs, 0); - if (!ok) - goto end; + /* Calls verify callback as needed */ + if (!x509_check_cert_time(ctx, xs, n)) + return 0; - /* The last error (if any) is still in the error value */ + /* + * Signal success at this depth. However, the previous error (if any) + * is retained. + */ ctx->current_issuer = xi; ctx->current_cert = xs; - ok = ctx->verify_cb(1, ctx); - if (!ok) - goto end; + ctx->error_depth = n; + if (!ctx->verify_cb(1, ctx)) + return 0; - n--; - if (n >= 0) { + if (--n >= 0) { xi = xs; xs = sk_X509_value(ctx->chain, n); } } - ok = 1; - end: - return ok; + return 1; } int X509_cmp_current_time(const ASN1_TIME *ctm) @@ -2662,10 +2631,7 @@ static int check_leaf_suiteb(X509_STORE_CTX *ctx, X509 *cert) if (err == X509_V_OK) return 1; - ctx->current_cert = cert; - ctx->error_depth = 0; - ctx->error = err; - return ctx->verify_cb(0, ctx); + return verify_cb_cert(ctx, cert, 0, err); } static int dane_verify(X509_STORE_CTX *ctx) @@ -2696,8 +2662,10 @@ static int dane_verify(X509_STORE_CTX *ctx) X509_get_pubkey_parameters(NULL, ctx->chain); if (matched > 0) { + /* Callback invoked as needed */ if (!check_leaf_suiteb(ctx, cert)) return 0; + /* Bypass internal_verify(), issue depth 0 success callback */ ctx->error_depth = 0; ctx->current_cert = cert; return ctx->verify_cb(1, ctx); @@ -2714,10 +2682,7 @@ static int dane_verify(X509_STORE_CTX *ctx) /* Fail early, TA-based success is not possible */ if (!check_leaf_suiteb(ctx, cert)) return 0; - ctx->current_cert = cert; - ctx->error_depth = 0; - ctx->error = X509_V_ERR_DANE_NO_MATCH; - return ctx->verify_cb(0, ctx); + return verify_cb_cert(ctx, cert, 0, X509_V_ERR_DANE_NO_MATCH); } /* @@ -2727,6 +2692,19 @@ static int dane_verify(X509_STORE_CTX *ctx) return verify_chain(ctx); } +/* Get issuer, without duplicate suppression */ +static int get_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert) +{ + STACK_OF(X509) *saved_chain = ctx->chain; + int ok; + + ctx->chain = NULL; + ok = ctx->get_issuer(issuer, ctx, cert); + ctx->chain = saved_chain; + + return ok; +} + static int build_chain(X509_STORE_CTX *ctx) { struct dane_st *dane = (struct dane_st *)ctx->dane; @@ -2806,12 +2784,19 @@ static int build_chain(X509_STORE_CTX *ctx) /* * Look in the trust store if enabled for first lookup, or we've run - * out of untrusted issuers and search here is not disabled. When - * we exceed the depth limit, we simulate absence of a match. + * out of untrusted issuers and search here is not disabled. When we + * reach the depth limit, we stop extending the chain, if by that point + * we've not found a trust-anchor, any trusted chain would be too long. + * + * The error reported to the application verify callback is at the + * maximal valid depth with the current certificate equal to the last + * not ultimately-trusted issuer. For example, with verify_depth = 0, + * the callback will report errors at depth=1 when the immediate issuer + * of the leaf certificate is not a trust anchor. No attempt will be + * made to locate an issuer for that certificate, since such a chain + * would be a-priori too long. */ if ((search & S_DOTRUSTED) != 0) { - STACK_OF(X509) *hide = ctx->chain; - i = num = sk_X509_num(ctx->chain); if ((search & S_DOALTERNATE) != 0) { /* @@ -2833,10 +2818,7 @@ static int build_chain(X509_STORE_CTX *ctx) } x = sk_X509_value(ctx->chain, i-1); - /* Suppress duplicate suppression */ - ctx->chain = NULL; - ok = (depth < num) ? 0 : ctx->get_issuer(&xtmp, ctx, x); - ctx->chain = hide; + ok = (depth < num) ? 0 : get_issuer(&xtmp, ctx, x); if (ok < 0) { trust = X509_TRUST_REJECTED; @@ -2963,12 +2945,12 @@ static int build_chain(X509_STORE_CTX *ctx) num = sk_X509_num(ctx->chain); OPENSSL_assert(num == ctx->num_untrusted); x = sk_X509_value(ctx->chain, num-1); - xtmp = (depth < num) ? NULL : find_issuer(ctx, sktmp, x); /* * Once we run out of untrusted issuers, we stop looking for more * and start looking only in the trust store if enabled. */ + xtmp = (ss || depth < num) ? NULL : find_issuer(ctx, sktmp, x); if (xtmp == NULL) { search &= ~S_DOUNTRUSTED; if (may_trusted) @@ -2976,23 +2958,21 @@ static int build_chain(X509_STORE_CTX *ctx) continue; } - if (!sk_X509_push(ctx->chain, x = xtmp)) { + /* Drop this issuer from future consideration */ + (void) sk_X509_delete_ptr(sktmp, xtmp); + + if (!sk_X509_push(ctx->chain, xtmp)) { X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE); trust = X509_TRUST_REJECTED; search = 0; continue; } - X509_up_ref(x); + + X509_up_ref(x = xtmp); ++ctx->num_untrusted; ss = cert_self_signed(xtmp); /* - * Not strictly necessary, but saves cycles looking at the same - * certificates over and over. - */ - (void) sk_X509_delete_ptr(sktmp, x); - - /* * Check for DANE-TA trust of the topmost untrusted certificate. */ switch (trust = check_dane_issuer(ctx, ctx->num_untrusted - 1)) { @@ -3021,25 +3001,84 @@ static int build_chain(X509_STORE_CTX *ctx) case X509_TRUST_TRUSTED: return 1; case X509_TRUST_REJECTED: + /* Callback already issued */ return 0; case X509_TRUST_UNTRUSTED: default: num = sk_X509_num(ctx->chain); - ctx->current_cert = sk_X509_value(ctx->chain, num - 1); - ctx->error_depth = num-1; if (num > depth) - ctx->error = X509_V_ERR_CERT_CHAIN_TOO_LONG; - else if (DANETLS_ENABLED(dane) && - (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0)) - ctx->error = X509_V_ERR_DANE_NO_MATCH; - else if (ss && sk_X509_num(ctx->chain) == 1) - ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; - else if (ss) - ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; - else if (ctx->num_untrusted == num) - ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; - else - ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; - return ctx->verify_cb(0, ctx); + return verify_cb_cert(ctx, NULL, num-1, + X509_V_ERR_CERT_CHAIN_TOO_LONG); + if (DANETLS_ENABLED(dane) && + (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0)) + return verify_cb_cert(ctx, NULL, num-1, X509_V_ERR_DANE_NO_MATCH); + if (ss && sk_X509_num(ctx->chain) == 1) + return verify_cb_cert(ctx, NULL, num-1, + X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT); + if (ss) + return verify_cb_cert(ctx, NULL, num-1, + X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN); + if (ctx->num_untrusted < num) + return verify_cb_cert(ctx, NULL, num-1, + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT); + return verify_cb_cert(ctx, NULL, num-1, + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY); + } +} + +static const int minbits_table[] = { 80, 112, 128, 192, 256 }; +static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table); + +/* + * Check whether the public key of ``cert`` meets the security level of + * ``ctx``. + * + * Returns 1 on success, 0 otherwise. + */ +static int check_key_level(X509_STORE_CTX *ctx, X509 *cert) +{ + EVP_PKEY *pkey = X509_get0_pubkey(cert); + int level = ctx->param->auth_level; + + /* Unsupported or malformed keys are not secure */ + if (pkey == NULL) + return 0; + + if (level <= 0) + return 1; + if (level > NUM_AUTH_LEVELS) + level = NUM_AUTH_LEVELS; + + return EVP_PKEY_security_bits(pkey) >= minbits_table[level - 1]; +} + +/* + * Check whether the signature digest algorithm of ``cert`` meets the security + * level of ``ctx``. Should not be checked for trust anchors (whether + * self-signed or otherwise). + * + * Returns 1 on success, 0 otherwise. + */ +static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert) +{ + int nid = X509_get_signature_nid(cert); + int mdnid = NID_undef; + int secbits = -1; + int level = ctx->param->auth_level; + + if (level <= 0) + return 1; + if (level > NUM_AUTH_LEVELS) + level = NUM_AUTH_LEVELS; + + /* Lookup signature algorithm digest */ + if (nid && OBJ_find_sigid_algs(nid, &mdnid, NULL)) { + const EVP_MD *md; + + /* Assume 4 bits of collision resistance for each hash octet */ + if (mdnid != NID_undef && (md = EVP_get_digestbynid(mdnid)) != NULL) + secbits = EVP_MD_size(md) * 4; } + + return secbits >= minbits_table[level - 1]; } diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 41b0fde..4a0bed0 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -140,6 +140,7 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) param->inh_flags = 0; param->flags = 0; param->depth = -1; + param->auth_level = -1; /* -1 means unset, 0 is explicit */ sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); param->policies = NULL; sk_OPENSSL_STRING_pop_free(param->hosts, str_free); @@ -245,6 +246,7 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, x509_verify_param_copy(purpose, 0); x509_verify_param_copy(trust, X509_TRUST_DEFAULT); x509_verify_param_copy(depth, -1); + x509_verify_param_copy(auth_level, -1); /* If overwrite or check time not set, copy across */ @@ -368,6 +370,11 @@ void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth) param->depth = depth; } +void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, int auth_level) +{ + param->auth_level = auth_level; +} + void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t) { param->check_time = t; @@ -493,6 +500,11 @@ int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) return param->depth; } +int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param) +{ + return param->auth_level; +} + const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param) { return param->name; @@ -515,6 +527,7 @@ static const X509_VERIFY_PARAM default_table[] = { 0, /* purpose */ 0, /* trust */ 100, /* depth */ + -1, /* auth_level */ NULL, /* policies */ vpm_empty_id}, { @@ -525,6 +538,7 @@ static const X509_VERIFY_PARAM default_table[] = { X509_PURPOSE_SMIME_SIGN, /* purpose */ X509_TRUST_EMAIL, /* trust */ -1, /* depth */ + -1, /* auth_level */ NULL, /* policies */ vpm_empty_id}, { @@ -535,6 +549,7 @@ static const X509_VERIFY_PARAM default_table[] = { X509_PURPOSE_SMIME_SIGN, /* purpose */ X509_TRUST_EMAIL, /* trust */ -1, /* depth */ + -1, /* auth_level */ NULL, /* policies */ vpm_empty_id}, { @@ -545,6 +560,7 @@ static const X509_VERIFY_PARAM default_table[] = { X509_PURPOSE_SSL_CLIENT, /* purpose */ X509_TRUST_SSL_CLIENT, /* trust */ -1, /* depth */ + -1, /* auth_level */ NULL, /* policies */ vpm_empty_id}, { @@ -555,6 +571,7 @@ static const X509_VERIFY_PARAM default_table[] = { X509_PURPOSE_SSL_SERVER, /* purpose */ X509_TRUST_SSL_SERVER, /* trust */ -1, /* depth */ + -1, /* auth_level */ NULL, /* policies */ vpm_empty_id} }; diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod index 36e6b3c..42c3514 100644 --- a/doc/apps/cms.pod +++ b/doc/apps/cms.pod @@ -58,6 +58,7 @@ B B [B<-trusted_first>] [B<-no_alt_chains>] [B<-use_deltas>] +[B<-auth_level num>] [B<-verify_depth num>] [B<-verify_email email>] [B<-verify_hostname hostname>] @@ -475,8 +476,8 @@ B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, -B<-verify_name>, B<-x509_strict> +B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, +B<-verify_ip>, B<-verify_name>, B<-x509_strict> Set various certificate chain validation options. See the L manual page for details. diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index be195bc..c796fd5 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -53,6 +53,7 @@ B B [B<-trusted_first>] [B<-no_alt_chains>] [B<-use_deltas>] +[B<-auth_level num>] [B<-verify_depth num>] [B<-verify_email email>] [B<-verify_hostname hostname>] @@ -197,11 +198,11 @@ B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, -B<-verify_name>, B<-x509_strict> +B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, +B<-verify_ip>, B<-verify_name>, B<-x509_strict> Set different certificate verification options. -See L|verify(1)> manual page for details. +See L manual page for details. =item B<-verify_other file> diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index 1873293..881fbcf 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -45,6 +45,7 @@ B B [B<-trusted_first>] [B<-no_alt_chains>] [B<-use_deltas>] +[B<-auth_level num>] [B<-verify_depth num>] [B<-verify_email email>] [B<-verify_hostname hostname>] @@ -229,8 +230,8 @@ B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, -B<-verify_name>, B<-x509_strict> +B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, +B<-verify_ip>, B<-verify_name>, B<-x509_strict> Set various certificate chain validation options. See the L manual page for details. diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index 25e5444..08554f4 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -55,6 +55,7 @@ B B [B<-trusted_first>] [B<-no_alt_chains>] [B<-use_deltas>] +[B<-auth_level num>] [B<-verify_depth num>] [B<-verify_return_error>] [B<-verify_email email>] @@ -234,8 +235,8 @@ B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, -B<-verify_name>, B<-x509_strict> +B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, +B<-verify_ip>, B<-verify_name>, B<-x509_strict> Set different peer certificate verification options. See the L manual page for details. diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index 418d8fa..e6323ad 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -40,6 +40,7 @@ B B [B<-trusted_first>] [B<-no_alt_chains>] [B<-use_deltas>] +[B<-auth_level num>] [B<-verify_depth num>] [B<-verify_email email>] [B<-verify_hostname hostname>] @@ -307,8 +308,8 @@ B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>, B<-inhibit_map>, B<-no_alt_chains>, B<-partial_chain>, B<-policy>, B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>, B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, -B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, -B<-verify_name>, B<-x509_strict> +B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, +B<-verify_ip>, B<-verify_name>, B<-x509_strict> Set various options of certificate chain verification. See L manual page for details. diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod index 93ea9e0..e64e5fc 100644 --- a/doc/apps/ts.pod +++ b/doc/apps/ts.pod @@ -73,6 +73,7 @@ I [-suiteB_192] [-trusted_first] [-use_deltas] +[-auth_level num] [-verify_depth num] [-verify_email email] [-verify_hostname hostname] @@ -371,17 +372,15 @@ all intermediate CA certificates unless the response includes them. =item I -The options [-attime timestamp], [-check_ss_sig], [-crl_check], -[-crl_check_all], [-explicit_policy], [-extended_crl], -[-ignore_critical], [-inhibit_any], [-inhibit_map], -[-issuer_checks], [-no_alt_chains], [-no_check_time], -[-partial_chain], [-policy arg], [-policy_check], -[-policy_print], [-purpose purpose], [-suiteB_128], -[-suiteB_128_only], [-suiteB_192], [-trusted_first], -[-use_deltas], [-verify_depth num], [-verify_email email], -[-verify_hostname hostname], [-verify_ip ip], [-verify_name name], -and [-x509_strict] can be used to control timestamp verification. -See L. +The options B<-attime timestamp>, B<-check_ss_sig>, B<-crl_check>, +B<-crl_check_all>, B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, +B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, B<-no_alt_chains>, +B<-no_check_time>, B<-partial_chain>, B<-policy>, B<-policy_check>, +B<-policy_print>, B<-purpose>, B<-suiteB_128>, B<-suiteB_128_only>, +B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, B<-auth_level>, +B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, +B<-verify_name>, and B<-x509_strict> can be used to control timestamp +verification. See L. =back diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index ecde35f..96d6be4 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -38,6 +38,7 @@ B B [B<-trusted file>] [B<-use_deltas>] [B<-verbose>] +[B<-auth_level level>] [B<-verify_depth num>] [B<-verify_email email>] [B<-verify_hostname hostname>] @@ -227,9 +228,30 @@ Enable support for delta CRLs. Print extra information about the operations being performed. +=item B<-auth_level level> + +Set the certificate chain authentication security level to B. +The authentication security level determines the acceptable signature and +public key strength when verifying certificate chains. +For a certificate chain to validate, the public keys of all the certificates +must meet the specified security B. +The signature algorithm security level is enforced for all the certificates in +the chain except for the chain's I, which is either directly +trusted or validated by means other than its signature. +See L for the definitions of the available +levels. +The default security level is -1, or "not set". +At security level 0 or lower all algorithms are acceptable. +Security level 1 requires at least 80-bit-equivalent security and is broadly +interoperable, though it will, for example, reject MD5 signatures or RSA keys +shorter than 1024 bits. + =item B<-verify_depth num> -Limit the maximum depth of the certificate chain to B certificates. +Limit the certificate chain to B intermediate CA certificates. +A maximal depth chain can have up to B certificates, since neither the +end-entity certificate nor the trust-anchor certificate count against the +B<-verify_depth> limit. =item B<-verify_email email> diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index 6fb33ed..04f5215 100644 --- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -2,15 +2,16 @@ =head1 NAME -X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get0_peername, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc - X509 verification parameters +X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_auth_level, X509_VERIFY_PARAM_get_auth_level, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get0_peername, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc - X509 verification parameters =head1 SYNOPSIS #include - int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags); + int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, + unsigned long flags); int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, - unsigned long flags); + unsigned long flags); unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose); @@ -19,13 +20,17 @@ X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_ge void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t); int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, - ASN1_OBJECT *policy); + ASN1_OBJECT *policy); int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, STACK_OF(ASN1_OBJECT) *policies); void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth); int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); + void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, + int auth_level); + int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param); + int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const char *name, size_t namelen); int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, @@ -71,8 +76,32 @@ policy set is cleared. The B parameter can be B to clear an existing policy set. X509_VERIFY_PARAM_set_depth() sets the maximum verification depth to B. -That is the maximum number of untrusted CA certificates that can appear in a +That is the maximum number of intermediate CA certificates that can appear in a chain. +A maximal depth chain contains 2 more certificates than the limit, since +neither the end-entity ceritificate nor the trust-anchor count against this +limit. +Thus a B limit of 0 only allows the end-entity certificate to be signed +directly by the trust-anchor, while with a B limit of 1 there can be one +intermediate CA certificate between the trust-anchor and the end-entity +certificate. + +X509_VERIFY_PARAM_set_auth_level() sets the authentication security level to +B. +The authentication security level determines the acceptable signature and public +key strength when verifying certificate chains. +For a certificate chain to validate, the public keys of all the certificates +must meet the specified security level. +The signature algorithm security level is not enforced for the chain's I certificate, which is either directly trusted or validated by means other +than its signature. +See L for the definitions of the available +levels. +The default security level is -1, or "not set". +At security level 0 or lower all algorithms are acceptable. +Security level 1 requires at least 80-bit-equivalent security and is broadly +interoperable, though it will, for example, reject MD5 signatures or RSA keys +shorter than 1024 bits. X509_VERIFY_PARAM_set1_host() sets the expected DNS hostname to B clearing any previously specified host name or names. If @@ -139,6 +168,9 @@ values. X509_VERIFY_PARAM_get_depth() returns the current verification depth. +X509_VERIFY_PARAM_get_auth_level() returns the current authentication security +level. + =head1 VERIFICATION FLAGS The verification flags consists of zero or more of the following flags diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index e883349..093b0f3 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -355,7 +355,10 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); # define X509_V_ERR_IP_ADDRESS_MISMATCH 64 /* DANE TLSA errors */ # define X509_V_ERR_DANE_NO_MATCH 65 - +/* security level errors */ +# define X509_V_ERR_EE_KEY_TOO_SMALL 66 +# define X509_V_ERR_CA_KEY_TOO_SMALL 67 +# define X509_V_ERR_CA_MD_TOO_WEAK 68 /* Certificate verify flags */ @@ -552,6 +555,7 @@ unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose); int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust); void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth); +void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, int auth_level); void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t); int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy); @@ -574,6 +578,7 @@ int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc); int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); +int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param); const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param); diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 4081ebe..24ac352 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -494,6 +494,12 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) return (0); } param = X509_STORE_CTX_get0_param(&ctx); + /* + * XXX: Separate @AUTHSECLEVEL and @TLSSECLEVEL would be useful at some + * point, for now a single @SECLEVEL sets the same policy for TLS crypto + * and PKI authentication. + */ + X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s)); /* Set suite B flags if needed */ X509_STORE_CTX_set_flags(&ctx, tls1_suiteb(s)); @@ -520,17 +526,8 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) if (s->ctx->app_verify_callback != NULL) i = s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg); - else { + else i = X509_verify_cert(&ctx); -# if 0 - /* Dummy error calls so mkerr generates them */ - SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL); - SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL); - SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK); -# endif - if (i > 0) - i = ssl_security_cert_chain(s, ctx.chain, NULL, 1); - } s->verify_result = ctx.error; sk_X509_pop_free(s->verified_chain, X509_free); @@ -894,12 +891,18 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) * ignore the error return from this call. We're not actually verifying * the cert - we're just building as much of the chain as we can */ - X509_verify_cert(&xs_ctx); + (void) X509_verify_cert(&xs_ctx); /* Don't leave errors in the queue */ ERR_clear_error(); i = ssl_security_cert_chain(s, xs_ctx.chain, NULL, 0); if (i != 1) { X509_STORE_CTX_cleanup(&xs_ctx); +#if 0 + /* Dummy error calls so mkerr generates them */ + SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL); + SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL); + SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK); +#endif SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, i); return 0; } diff --git a/test/certs/ca-cert-768.pem b/test/certs/ca-cert-768.pem new file mode 100644 index 0000000..0c8ff29 --- /dev/null +++ b/test/certs/ca-cert-768.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICRDCCASygAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDMyMDA2MjcyN1oYDzIxMTYwMzIxMDYyNzI3WjANMQswCQYDVQQD +DAJDQTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQC3wNLc1A9gAjz1H94ozPrLOhE2 +R8c6RQjkUIALCOuw8xbZV+AEDSqP11Bw8MVzvmpksR9s1idJhLOugwMNTHfTXJjV +DWoQh9ofR51J5sOph4yDhQBXRmiuvqMDj+a81UkCAwEAAaNQME4wHQYDVR0OBBYE +FKrzei/LKJop6yShiJupKskW0ZQcMB8GA1UdIwQYMBaAFI71Ja8em2uEPXyAmslT +nE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFr4hjVtLuZz +gxLILAOREEtanckfnapUrhTLukog9Q8uzqMUE+YDEhkcP4YAVjcab6HaXrbcxXsn +zn+v+GPszD9G3doGbUjuwEEAHz+k/9sjsn8QAGw/XslYhd5dktaRRCqaTNiWT+Ks +xKntAsgXcgWNIpvGikzTB/W7IrjIV8/S1JjLABtoY88tFUX81Ohr3bFFsRc9EHVS +MtGnEwfoBOSlCUjaTWBNHHi1HstK9sG2SNT/nhN1HATk/aiCiQRKr/bm6ezPC2If +6mRidaNiQN8+vzvtn86BqtRJOEi8jj5CBax6IqwfE+lDZIwT7H9C9Cu8Yp4mTM0x +wwzRDnFVisM= +-----END CERTIFICATE----- diff --git a/test/certs/ca-cert-768i.pem b/test/certs/ca-cert-768i.pem new file mode 100644 index 0000000..acc432f --- /dev/null +++ b/test/certs/ca-cert-768i.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICSjCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDMyMDA2MjcyN1oYDzIxMTYwMzIxMDYyNzI3WjANMQswCQYDVQQD +DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd +j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz +n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W +l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l +YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc +ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 +CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G +A1UdIwQYMBaAFFjzE/eu8wvKwzb2aODw52C+0gLVMAwGA1UdEwQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADYQCZM1sSpIyjyuGirBYvezFryUq5EyZiME3HIHJ7AbmquPtE +LcoE8lwxEYXl7OTbLZHxIKkt6+WX2TL/0yshJLq/42nh5DZwyug7fIITmkzmzidF +rbnl7fIop7OJX/kELbY= +-----END CERTIFICATE----- diff --git a/test/certs/ca+anyEKU.pem b/test/certs/ca-cert-md5-any.pem similarity index 54% copy from test/certs/ca+anyEKU.pem copy to test/certs/ca-cert-md5-any.pem index 36ed837..7c2b53f 100644 --- a/test/certs/ca+anyEKU.pem +++ b/test/certs/ca-cert-md5-any.pem @@ -1,6 +1,6 @@ -----BEGIN TRUSTED CERTIFICATE----- -MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD +MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDMyMDA2MjcyN1oYDzIxMTYwMzIxMDYyNzI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W @@ -9,10 +9,10 @@ YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ -KoZIhvcNAQELBQADggEBADnZ9uXGAdwfNC3xuERIlBwgLROeBRGgcfHWdXZB/tWk -IM9ox88wYKWynanPbra4n0zhepooKt+naeY2HLR8UgwT6sTi0Yfld9mjytA8/DP6 -AcqtIDDf60vNI00sgxjgZqofVayA9KShzIPzjBec4zI1sg5YzoSNyH28VXFstEpi -8CVtmRYQHhc2gDI9MGge4sHRYwaIFkegzpwcEUnp6tTVe9ZvHawgsXF/rCGfH4M6 -uNO0D+9Md1bdW7382yOtWbkyibsugqnfBYCUH6hAhDlfYzpba2Smb0roc6Crq7HR -5HpEYY6qEir9wFMkD5MZsWrNRGRuzd5am82J+aaHz/4wCDAGBgRVHSUA +KoZIhvcNAQEEBQADggEBACTmLO0KOkXFNjj6hXozC9GzQYMXdCfNmgMuetk8xdVm +TqkF/qIGK2FBWn91IH0/9ydZbL83EKjPjqjwqzXqExJ0Un+fy7XbYMKtjGJ21egJ +x97jzKey5phEwRD/4fJ+PCml9eE/SNzBV0xKSDq4qQYvSJ3GF6KCATVlr0bDzQJZ +yTY3FeNoy+K7Mb0rHtsGru60C/Ft1dl9uiJ+yKXMiCxPcDjYb+95mA9QJ1kXfR8J +JVfeKhEEK+QIVpz/37aQ4jx/zbGblFsruALK22aLnpgrfUzrsYQ8W8T/DV2dV1ra +4wHz/QtlE4isInOaK2+pvXwyGar+1/s3+VxXEiPlZ7IwCDAGBgRVHSUA -----END TRUSTED CERTIFICATE----- diff --git a/test/certs/ca-cert.pem b/test/certs/ca-cert-md5.pem similarity index 54% copy from test/certs/ca-cert.pem copy to test/certs/ca-cert-md5.pem index f6bc233..be564dd 100644 --- a/test/certs/ca-cert.pem +++ b/test/certs/ca-cert-md5.pem @@ -1,6 +1,6 @@ -----BEGIN CERTIFICATE----- -MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjANMQswCQYDVQQD +MIIC7DCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDMyMDA2MjcyN1oYDzIxMTYwMzIxMDYyNzI3WjANMQswCQYDVQQD DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W @@ -9,10 +9,10 @@ YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 CLNNsUcCAwEAAaNQME4wHQYDVR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8G A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ -KoZIhvcNAQELBQADggEBADnZ9uXGAdwfNC3xuERIlBwgLROeBRGgcfHWdXZB/tWk -IM9ox88wYKWynanPbra4n0zhepooKt+naeY2HLR8UgwT6sTi0Yfld9mjytA8/DP6 -AcqtIDDf60vNI00sgxjgZqofVayA9KShzIPzjBec4zI1sg5YzoSNyH28VXFstEpi -8CVtmRYQHhc2gDI9MGge4sHRYwaIFkegzpwcEUnp6tTVe9ZvHawgsXF/rCGfH4M6 -uNO0D+9Md1bdW7382yOtWbkyibsugqnfBYCUH6hAhDlfYzpba2Smb0roc6Crq7HR -5HpEYY6qEir9wFMkD5MZsWrNRGRuzd5am82J+aaHz/4= +KoZIhvcNAQEEBQADggEBACTmLO0KOkXFNjj6hXozC9GzQYMXdCfNmgMuetk8xdVm +TqkF/qIGK2FBWn91IH0/9ydZbL83EKjPjqjwqzXqExJ0Un+fy7XbYMKtjGJ21egJ +x97jzKey5phEwRD/4fJ+PCml9eE/SNzBV0xKSDq4qQYvSJ3GF6KCATVlr0bDzQJZ +yTY3FeNoy+K7Mb0rHtsGru60C/Ft1dl9uiJ+yKXMiCxPcDjYb+95mA9QJ1kXfR8J +JVfeKhEEK+QIVpz/37aQ4jx/zbGblFsruALK22aLnpgrfUzrsYQ8W8T/DV2dV1ra +4wHz/QtlE4isInOaK2+pvXwyGar+1/s3+VxXEiPlZ7I= -----END CERTIFICATE----- diff --git a/test/certs/ca-key-768.pem b/test/certs/ca-key-768.pem new file mode 100644 index 0000000..7aea5ed --- /dev/null +++ b/test/certs/ca-key-768.pem @@ -0,0 +1,13 @@ +-----BEGIN PRIVATE KEY----- +MIIB5QIBADANBgkqhkiG9w0BAQEFAASCAc8wggHLAgEAAmEAt8DS3NQPYAI89R/e +KMz6yzoRNkfHOkUI5FCACwjrsPMW2VfgBA0qj9dQcPDFc75qZLEfbNYnSYSzroMD +DUx301yY1Q1qEIfaH0edSebDqYeMg4UAV0Zorr6jA4/mvNVJAgMBAAECYQCJAsu3 +QJ9eNQ0CsQpTXdO6aMegs5CHkCX7J1Lx52rl+7uTv4QXQUH1EtS2AbEYhmdGzMFN +ZlBrg1vDsW/yn02NZzvT6xT/kvzFhQVw1i8B0YyB8wPao3f2ZxPkAfeoAAECMQDa +6VkNYlHgPOlTtwU1WYUirFczpipQsuk/lIf7B3+rVRUHoAE4nbeIRJgkKZaJEAEC +MQDW4pYsyN79HEqFpOFlfsrERw3y4hLRXGeHxbfJFdAe7SUfNj28ZI2EPFE0DJhX +RUkCMA39M2+jhM/rlI2A+Jg8LEHW+YuXZsTZagZiG35zMDlmqn1eQDW5/mx61a4Z +6kDAAQIwIlbZWtTK1bX0rsC3iEmny4/zSbIZAb37iXXuNcM3nAmXmhJH8Vg8STp+ +W4v7uE6JAjEAwiB9wCVwG4UhvKNQ4Wd2mfJiKZQNF4rL4ID0g+Wk6kX67c7u2hfH +sSaluw9nM91s +-----END PRIVATE KEY----- diff --git a/test/certs/ee-cert-768.pem b/test/certs/ee-cert-768.pem new file mode 100644 index 0000000..794f93c --- /dev/null +++ b/test/certs/ee-cert-768.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICeDCCAWCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0xNjAzMjAwNjI3MjdaGA8yMTE2MDMyMTA2MjcyN1owGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwfDANBgkqhkiG9w0BAQEFAANrADBoAmEAwCvrPAynx+7VtpFz +4cWZW3/n3/nMwK4fxkWSB0kbVUhQaYiaQGWEfB4JpRz5rPt8NW5m2aVGT7mMjScu +8YyFa3IDdpBeQL1n8VQUH3FLySgQHC1bkkzwyzQM8JirCdl/AgMBAAGjfTB7MB0G +A1UdDgQWBBSRBasp1P/UDCesreviw4Lwz8tFBDAfBgNVHSMEGDAWgBS0ETPx1+Je +91OeICIQT4YGvx/JXjAJBgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBkG +A1UdEQQSMBCCDnNlcnZlci5leGFtcGxlMA0GCSqGSIb3DQEBCwUAA4IBAQB5xled +do7U++n86KmJDGnXd4XMpr1QbTFVSO7fhSiObeGm961re/TI7AhuLlsZYP601YhZ +pRe9B7tiEuzu3iCD4kKB0yxgUCSsF0u1KbHSUNe2H5bBJC21c2eLZh6U54y014nL +gFSDOsA8M1301+Hlh5AS+4iTR0Ra02RaZb3L5HCR2wtkJubh3rSj8eBzb6fx+Lhw +JoeRg34lhycGC4bBVwkRT8bo73Nrs71JUP2A6/PjdsIfF2rtVMEuIq8AMQ5wInZ+ +2mIxJ4MwCClwLCq3VxI1bzdf1TYsPNxYTUS1POb2VgNofG0mBTHNUYUO20aF0ct8 +PCQqIqxUIegfS3f5 +-----END CERTIFICATE----- diff --git a/test/certs/ee-cert2.pem b/test/certs/ee-cert-768i.pem similarity index 50% copy from test/certs/ee-cert2.pem copy to test/certs/ee-cert-768i.pem index b6ad976..d6532fb 100644 --- a/test/certs/ee-cert2.pem +++ b/test/certs/ee-cert-768i.pem @@ -1,6 +1,6 @@ -----BEGIN CERTIFICATE----- -MIIDIDCCAgigAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg -Fw0xNjAxMTUwODE5NDlaGA8yMTE2MDExNjA4MTk0OVowGTEXMBUGA1UEAwwOc2Vy +MIICfjCCAgigAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0xNjAzMjAwNjI3MjdaGA8yMTE2MDMyMTA2MjcyN1owGTEXMBUGA1UEAwwOc2Vy dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT 5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l @@ -8,12 +8,9 @@ Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn iIQPYf55NB9KiR+3AgMBAAGjfTB7MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi -l+FzojAfBgNVHSMEGDAWgBQBaJ1v+UdTZGJOltvDcSXTMk5QrTAJBgNVHRMEAjAA +l+FzojAfBgNVHSMEGDAWgBSq83ovyyiaKeskoYibqSrJFtGUHDAJBgNVHRMEAjAA MBMGA1UdJQQMMAoGCCsGAQUFBwMBMBkGA1UdEQQSMBCCDnNlcnZlci5leGFtcGxl -MA0GCSqGSIb3DQEBCwUAA4IBAQC8XKL6Bh01xQv+3BTk4Kqu95/TEecZdBPsxU4r -mCT829HsTw54Od7ID64Kzxi52RtJKPDnd3GB1tDAChEYI+U0g3582JiZCXPwxkC0 -y2YEhsXgatfOj0h5eT47FdmH7YeY4S6PxNo7Ek3ma5523M6dqcbP71fLvFptu5DZ -dP9+I9hxeojAeumKONzVK4ADWthqgMgVKqjV34lqNNcWDEXgOUjJwT1HXnlwnCMk -PtdnDSvzHEQFt25RZwkiOjimC97FZAPmsyYmLHc4q6s81ms5M4S9dackCA6TDRvv -sOzivaeM07/94iKBINFpoHpJmD9Z5zE+vH2weMVjhSQnFsGc +MA0GCSqGSIb3DQEBCwUAA2EASAwDwXsYGnhQDyWixI9eKZwXAA9E4rEIdmKNvVjU +jWkMh1oC0FZl4TTHU+sAaXmv2QItZOcG2QEHoTIZDPYiy+7eZC7pPQY25dkxeSZ9 +TIlMnfePzYTc3BnfxZj82Mny -----END CERTIFICATE----- diff --git a/test/certs/ee-cert.pem b/test/certs/ee-cert-md5.pem similarity index 56% copy from test/certs/ee-cert.pem copy to test/certs/ee-cert-md5.pem index 05d2318d..8c26422 100644 --- a/test/certs/ee-cert.pem +++ b/test/certs/ee-cert-md5.pem @@ -1,6 +1,6 @@ -----BEGIN CERTIFICATE----- -MIIDIDCCAgigAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg -Fw0xNjAxMTUwODE5NDlaGA8yMTE2MDExNjA4MTk0OVowGTEXMBUGA1UEAwwOc2Vy +MIIDIDCCAgigAwIBAgIBAjANBgkqhkiG9w0BAQQFADANMQswCQYDVQQDDAJDQTAg +Fw0xNjAzMjAwNjI3MjdaGA8yMTE2MDMyMTA2MjcyN1owGTEXMBUGA1UEAwwOc2Vy dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT 5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l @@ -10,10 +10,10 @@ ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn iIQPYf55NB9KiR+3AgMBAAGjfTB7MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA MBMGA1UdJQQMMAoGCCsGAQUFBwMBMBkGA1UdEQQSMBCCDnNlcnZlci5leGFtcGxl -MA0GCSqGSIb3DQEBCwUAA4IBAQBBtDxPYULl5b7VFC7/U0NgV8vTJk4zpPnUMMQ4 -QF2AWDFAek8oLKrz18KQ8M/DEhDxgkaoeXEMLT6BJUEVNYuFEYHEDGarl0nMDRXL -xOgAExfz3Tf/pjsLaha5aWH7NyCSKWC+lYkIOJ/Kb/m/6QsDJoXsEC8AhrPfqJhz -UzsCoxIlaDWqawH4+S8bdeX0tvs2VtJk/WOJHxMqXra6kgI4fAgyvr2kIZHinQ3y -cgX40uAC38bwpE95kJ7FhSfQlE1Rt7sOspUj098Dd0RNDn2uKyOTxEqIELHfw4AX -O3XAzt8qDyho8nEd/xiQ6qgsQnvXa+hSRJw42g3/czVskxRx +MA0GCSqGSIb3DQEBBAUAA4IBAQBqCPfIEZOVUiq2exiRFoxVOvq668Y55lJZ9+4j +E5Ncq9mdbuD7GIxJSKByf899yBJUG32ZIbmwnSHfBkPolc/LjQhUDxJtSBE8vFaA +8AZ1rsOcaWapPQ94gYIgncBS15t7RjTX1l04fY0NPqVsWmTji+ummA5e7iCj6l6t +CqRGhMeSZWa1mc+Plurmz7oWEqkUK5cfTrlDnXeQNOI8EK8lc636elqqdnw0amO4 +yKJlaXRlm/I1nQdUQ0G5Bk2Tp/QGoJCtJ25XsoIbnCs0tIbpQllTdLsRQmOussAP +NvdwbKtAAolgMAxH9pl1Mc6OIo2e8405EWs1jvGEMgE0IFAY -----END CERTIFICATE----- diff --git a/test/certs/ee-key-768.pem b/test/certs/ee-key-768.pem new file mode 100644 index 0000000..0d44f85 --- /dev/null +++ b/test/certs/ee-key-768.pem @@ -0,0 +1,13 @@ +-----BEGIN PRIVATE KEY----- +MIIB5QIBADANBgkqhkiG9w0BAQEFAASCAc8wggHLAgEAAmEAwCvrPAynx+7VtpFz +4cWZW3/n3/nMwK4fxkWSB0kbVUhQaYiaQGWEfB4JpRz5rPt8NW5m2aVGT7mMjScu +8YyFa3IDdpBeQL1n8VQUH3FLySgQHC1bkkzwyzQM8JirCdl/AgMBAAECYQCzO0MW +qqcBrhvdPyPZerZhxJW7K/xv6PbxsYlVCjZYAC4ff6x+SzCZolpUiQXE9Hdyhlyk +alcqn2vT5TagWk64YUmIMP7BCT2Ps/IW0nQl07k27c2BNq3IzdRnBz5SbQECMQDg +9UxISqFOG6sLdZIKA88Q+M2HE/MdzwiJby/bSUXhn5aluZqjR60nGPqAb2S/r98C +MQDasGzUTXqEYOPsAL4irzKMMiMdqbj6dNHsmo1GIYKx8PuN193i/cNd5XDv78Gm +imECMQC10IvewbKtVl9f2540ye9JYE18pvsPVI0pxtt++DGqsTkoqGH7JasktmN/ ++ogLBTECMBf9/xKTpXtcfeTod/OqMOt8nKmmcyrXIijJE/K7vnDzNUXshuVeXc6x +W2CXdzFkQQIweyLLA6etAJGsmCRwIgnfp1ubmVdfPou68byHSnzAf4/GxBriSd5b +EQcYwjE7SDI7 +-----END PRIVATE KEY----- diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh index 99e7d2a..ec2e374 100755 --- a/test/certs/mkcert.sh +++ b/test/certs/mkcert.sh @@ -10,6 +10,10 @@ # DAYS=36525 +if [ -z "$OPENSSL_SIGALG" ]; then + OPENSSL_SIGALG=sha256 +fi + stderr_onerror() { ( err=$("$@" >&3 2>&1) || { @@ -53,7 +57,7 @@ req() { local errs stderr_onerror \ - openssl req -new -sha256 -key "${key}.pem" \ + openssl req -new -"${OPENSSL_SIGALG}" -key "${key}.pem" \ -config <(printf "[req]\n%s\n%s\n[dn]\nCN=%s\n" \ "prompt = no" "distinguished_name = dn" "${cn}") } @@ -63,7 +67,7 @@ req_nocn() { key "$key" stderr_onerror \ - openssl req -new -sha256 -subj / -key "${key}.pem" \ + openssl req -new -"${OPENSSL_SIGALG}" -subj / -key "${key}.pem" \ -config <(printf "[req]\n%s\n[dn]\nCN_default =\n" \ "distinguished_name = dn") } @@ -73,7 +77,7 @@ cert() { local exts=$1; shift stderr_onerror \ - openssl x509 -req -sha256 -out "${cert}.pem" \ + openssl x509 -req -"${OPENSSL_SIGALG}" -out "${cert}.pem" \ -extfile <(printf "%s\n" "$exts") "$@" } diff --git a/test/certs/root-cert-768.pem b/test/certs/root-cert-768.pem new file mode 100644 index 0000000..4392ef0 --- /dev/null +++ b/test/certs/root-cert-768.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBpzCCATGgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDMyMDA2MjcyN1oYDzIxMTYwMzIxMDYyNzI3WjASMRAwDgYDVQQD +DAdSb290IENBMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALntqSk2YVnhNalAikA2 +tuSOvHUKVSJlqjKmzlUPI+gQFyBWxtyQdwepI87tl8EW1in2IiOeN49W+OtVOlBi +Mxwqi/BcBltTbbSrlRpoSKOH6V7zIXvfsqjwWsDi37V1xQIDAQABo1AwTjAdBgNV +HQ4EFgQUWPMT967zC8rDNvZo4PDnYL7SAtUwHwYDVR0jBBgwFoAUWPMT967zC8rD +NvZo4PDnYL7SAtUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAANhAFDU7FyF +Ma6EG0OBS4IYws2US9t3IQwlI5noQwm9R3Nk/3AIUrdPG8ydRyV1N4GuRhRpprh0 +sEbX3ZO9/E54DbPYfS5kqfZZtohUNy+Wmx8XY9OSv4SWUrrMSIRFXS63MA== +-----END CERTIFICATE----- diff --git a/test/certs/root-cert.pem b/test/certs/root-cert-md5.pem similarity index 53% copy from test/certs/root-cert.pem copy to test/certs/root-cert-md5.pem index 21ffa4d..b6ed10c 100644 --- a/test/certs/root-cert.pem +++ b/test/certs/root-cert-md5.pem @@ -1,6 +1,6 @@ -----BEGIN CERTIFICATE----- -MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD +MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDMyMDA2MjcyN1oYDzIxMTYwMzIxMDYyNzI3WjASMRAwDgYDVQQD DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8 oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN @@ -9,10 +9,10 @@ MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff tWgiQ35mJCOvxQIDAQABo1AwTjAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3 o1IwHwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDAYDVR0TBAUwAwEB -/zANBgkqhkiG9w0BAQsFAAOCAQEAyRRJx27WYOogPXZpPfAMt8ptapr/ugLWGLlw -bzKySoyLpoV2/YNAvTAGB90iFq6x/ujjrK41/ES0p3v38/Qfuxo24gcZgc/oYLV2 -UqR+uGCx68p2OWLYctBsARtYWOEgPhHFb9aVxcOQKyZHtivDX0wLGX+nqZoHX9IY -mc0sbpRBRMzxRsChbzD5re9kZ5NrgkjA6DJ7jYh2GitOM6oIU3Dd9+pk3bCEkFUg -Ry9qN/k+AyeqH1Qcb5LU+MTmlw8bmyzmMOBZgdegtO4HshcBMO054KSB3WSfBPDO -bEhZ0vm/lw63TGi88yIMtlkmcU2g0RKpeQI96G6QeqHyKF3p8A== +/zANBgkqhkiG9w0BAQQFAAOCAQEAwSTZo97psLqiNmgvCC/Z51F3S9bFKPjGK4dc +Kqh8pMJsb8DnfGlPnsYXq/0oPcBThTRGZDqTeZa0ms8G+g4GS21TPF7lmvVJUJhz +GRLJxX7TYB8xriSJ15DwZgGmEGPfzmoIq27nwrO4TRAi0TCLdw01XZwiq2V7anl+ +jrIpJPDuaT3oBqnGTMZ5IoaQq2TX8PS/ZW6icJiRmXLMp/HUycKpDUshiuARR5Mi +UOzX8IHwn76Zj6z1R8xW9j1WcEycFYevTMaRuS6hnYagiSaAytIQU8hgMR4AWodM +NFYv5t9rguJnimGUGMMBIYXnPNE2kaoq9qCVgjuC14gWU0kq6Q== -----END CERTIFICATE----- diff --git a/test/certs/root-key-768.pem b/test/certs/root-key-768.pem new file mode 100644 index 0000000..4ecdcd3 --- /dev/null +++ b/test/certs/root-key-768.pem @@ -0,0 +1,13 @@ +-----BEGIN PRIVATE KEY----- +MIIB5AIBADANBgkqhkiG9w0BAQEFAASCAc4wggHKAgEAAmEAue2pKTZhWeE1qUCK +QDa25I68dQpVImWqMqbOVQ8j6BAXIFbG3JB3B6kjzu2XwRbWKfYiI543j1b461U6 +UGIzHCqL8FwGW1NttKuVGmhIo4fpXvMhe9+yqPBawOLftXXFAgMBAAECYH1FP4Bg +/16Lepg6v+tb8gY0lY1WFN5EGVRfRw3QUaT9kldboEjjnQ8wSswVEPYr56IHZ8mH +Or8LtJVrB3fjriq5vNOt7lRscuV7IcVtOyVWu5+MoJmO67Q2vRJXLWTdAQIxANtp +AiqObXo8vyT+EDcOEW104PfKNVh/4fhyrDwAk/yTcxkv4dcnuTykeLPvkXq4cQIx +ANjvQa+9LubMy3N1uXIbWWsiEBi4BdNK+xuppJ2puckaiQU42Mfmw/Nj4LMEJLfc +lQIwCYcv3uU8f9hvfI3D6oAj5Zrzwg737hXvnDhunlRwGMHWd7uKlStWcfm6fCXl +LW0hAjEAneK0egVEp3IR+PyLdcL194UZFgSJKNj/nYiAaMdokjcf1o8jJ4qKvw/I +MEIpvy9pAjAzaFHKRugCN01V2dgXYYGL8+zkcwG4ehDXH1XEs4v8r3WtHBPPKED6 +AemfAQJLvh8= +-----END PRIVATE KEY----- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index 9606c77..f341046 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -32,6 +32,14 @@ openssl x509 -in root-nonca.pem -trustout \ openssl x509 -in root-nonca.pem -trustout \ -addtrust anyExtendedKeyUsage -out nroot+anyEKU.pem +# Root CA security level variants: +# MD5 self-signature +OPENSSL_SIGALG=md5 \ +./mkcert.sh genroot "Root CA" root-key root-cert-md5 +# 768-bit key +OPENSSL_KEYBITS=768 \ +./mkcert.sh genroot "Root CA" root-key-768 root-cert-768 + # primary client-EKU root: croot-cert # trust variants: +serverAuth -serverAuth +clientAuth +anyEKU -anyEKU # @@ -97,6 +105,18 @@ openssl x509 -in ca-nonca.pem -trustout \ openssl x509 -in ca-nonca.pem -trustout \ -addtrust serverAuth -out nca+anyEKU.pem +# Intermediate CA security variants: +# MD5 issuer signature, +OPENSSL_SIGALG=md5 \ +./mkcert.sh genca "CA" ca-key ca-cert-md5 root-key root-cert +openssl x509 -in ca-cert-md5.pem -trustout \ + -addtrust anyExtendedKeyUsage -out ca-cert-md5-any.pem +# Issuer has 768-bit key +./mkcert.sh genca "CA" ca-key ca-cert-768i root-key-768 root-cert-768 +# CA has 768-bit key +OPENSSL_KEYBITS=768 \ +./mkcert.sh genca "CA" ca-key-768 ca-cert-768 root-key root-cert + # client intermediate ca: cca-cert # trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth # @@ -152,3 +172,13 @@ openssl x509 -in ee-client.pem -trustout \ -addtrust clientAuth -out ee+clientAuth.pem openssl x509 -in ee-client.pem -trustout \ -addreject clientAuth -out ee-clientAuth.pem + +# Leaf cert security level variants +# MD5 issuer signature +OPENSSL_SIGALG=md5 \ +./mkcert.sh genee server.example ee-key ee-cert-md5 ca-key ca-cert +# 768-bit issuer key +./mkcert.sh genee server.example ee-key ee-cert-768i ca-key-768 ca-cert-768 +# 768-bit leaf key +OPENSSL_KEYBITS=768 \ +./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index d4131cc..e025739 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -10,7 +10,7 @@ setup("test_verify"); sub verify { my ($cert, $purpose, $trusted, $untrusted, @opts) = @_; - my @args = qw(openssl verify -purpose); + my @args = qw(openssl verify -auth_level 1 -purpose); my @path = qw(test certs); push(@args, "$purpose", @opts); for (@$trusted) { push(@args, "-trusted", srctop_file(@path, "$_.pem")) } @@ -19,7 +19,7 @@ sub verify { run(app([@args])); } -plan tests => 83; +plan tests => 101; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -214,3 +214,47 @@ ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"), "accept direct match with client trust"); ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"), "reject direct match with client mistrust"); + +# Security level tests +ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"), + "accept RSA 2048 chain at auth level 2"); +ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"), + "reject RSA 2048 root at auth level 3"); +ok(verify("ee-cert", "sslserver", ["root-cert-768"], ["ca-cert-768i"], "-auth_level", "0"), + "accept RSA 768 root at auth level 0"); +ok(!verify("ee-cert", "sslserver", ["root-cert-768"], ["ca-cert-768i"]), + "reject RSA 768 root at auth level 1"); +ok(verify("ee-cert-768i", "sslserver", ["root-cert"], ["ca-cert-768"], "-auth_level", "0"), + "accept RSA 768 intermediate at auth level 0"); +ok(!verify("ee-cert-768i", "sslserver", ["root-cert"], ["ca-cert-768"]), + "reject RSA 768 intermediate at auth level 1"); +ok(verify("ee-cert-768", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"), + "accept RSA 768 leaf at auth level 0"); +ok(!verify("ee-cert-768", "sslserver", ["root-cert"], ["ca-cert"]), + "reject RSA 768 leaf at auth level 1"); +# +ok(verify("ee-cert", "sslserver", ["root-cert-md5"], ["ca-cert"], "-auth_level", "2"), + "accept md5 self-signed TA at auth level 2"); +ok(verify("ee-cert", "sslserver", ["ca-cert-md5-any"], [], "-auth_level", "2"), + "accept md5 intermediate TA at auth level 2"); +ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert-md5"], "-auth_level", "0"), + "accept md5 intermediate at auth level 0"); +ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert-md5"]), + "reject md5 intermediate at auth level 1"); +ok(verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "0"), + "accept md5 leaf at auth level 0"); +ok(!verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"]), + "reject md5 leaf at auth level 1"); + +# Depth tests, note the depth limit bounds the number of CA certificates +# between the trust-anchor and the leaf, so, for example, with a root->ca->leaf +# chain, depth = 1 is sufficient, but depth == 0 is not. +# +ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "2"), + "accept chain with verify_depth 2"); +ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "1"), + "accept chain with verify_depth 1"); +ok(!verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"], "-verify_depth", "0"), + "accept chain with verify_depth 0"); +ok(verify("ee-cert", "sslserver", ["ca-cert-md5-any"], [], "-verify_depth", "0"), + "accept md5 intermediate TA with verify_depth 0"); diff --git a/util/libcrypto.num b/util/libcrypto.num index 6268a86..e1ca4ef 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4122,3 +4122,5 @@ DSA_meth_new 3987 1_1_0 EXIST::FUNCTION:DSA DSA_meth_set_flags 3988 1_1_0 EXIST::FUNCTION:DSA DSA_meth_get_sign_setup 3989 1_1_0 EXIST::FUNCTION:DSA DSA_get0_engine 3990 1_1_0 EXIST::FUNCTION:DSA +X509_VERIFY_PARAM_set_auth_level 3991 1_1_0 EXIST::FUNCTION: +X509_VERIFY_PARAM_get_auth_level 3992 1_1_0 EXIST::FUNCTION: From builds at travis-ci.org Sun Apr 3 16:03:59 2016 From: builds at travis-ci.org (Travis CI) Date: Sun, 03 Apr 2016 16:03:59 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3199 (master - bb3bdf0) In-Reply-To: Message-ID: <57013eeed921c_33fea498dd998463197@4ba6f9de-f08c-4cd1-8e44-5431073b6adf.mail> Build Update for openssl/openssl ------------------------------------- Build: #3199 Status: Still Failing Duration: 25 minutes and 3 seconds Commit: bb3bdf0 (master) Author: Viktor Dukhovni Message: make update Reviewed-by: Dr. Stephen Henson View the changeset: https://github.com/openssl/openssl/compare/0f1ef63bf170...bb3bdf0507ac View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120441650 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Apr 3 16:30:46 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 03 Apr 2016 16:30:46 +0000 Subject: [openssl-commits] Build failed: openssl master.2517 Message-ID: <20160403163046.32755.22390.92E94DCD@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Apr 3 17:53:47 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 03 Apr 2016 17:53:47 +0000 Subject: [openssl-commits] Build failed: openssl master.2518 Message-ID: <20160403175347.9104.56255.E93AD946@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Apr 3 18:57:08 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 03 Apr 2016 18:57:08 +0000 Subject: [openssl-commits] Build failed: openssl master.2519 Message-ID: <20160403185707.49923.77415.CDE4AB05@appveyor.com> An HTML attachment was scrubbed... URL: From viktor at openssl.org Sun Apr 3 19:36:41 2016 From: viktor at openssl.org (Viktor Dukhovni) Date: Sun, 03 Apr 2016 19:36:41 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459712201.657884.10104.nullmailer@dev.openssl.org> The branch master has been updated via c3a7e0c565c5d41e7d9b910a45c2248c2f3d5152 (commit) from bb3bdf0507ac5c9713a7e99d8652085b2f150b06 (commit) - Log ----------------------------------------------------------------- commit c3a7e0c565c5d41e7d9b910a45c2248c2f3d5152 Author: Viktor Dukhovni Date: Sun Apr 3 15:21:34 2016 -0400 After saving errno clear it before calls to strtol et. al. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/opt.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apps/opt.c b/apps/opt.c index 462894a..63d3215 100644 --- a/apps/opt.c +++ b/apps/opt.c @@ -373,6 +373,7 @@ int opt_long(const char *value, long *result) long l; char *endp; + errno = 0; l = strtol(value, &endp, 0); if (*endp || endp == value @@ -398,6 +399,7 @@ int opt_imax(const char *value, intmax_t *result) intmax_t m; char *endp; + errno = 0; m = strtoimax(value, &endp, 0); if (*endp || endp == value @@ -420,6 +422,7 @@ int opt_umax(const char *value, uintmax_t *result) uintmax_t m; char *endp; + errno = 0; m = strtoumax(value, &endp, 0); if (*endp || endp == value @@ -445,6 +448,7 @@ int opt_ulong(const char *value, unsigned long *result) char *endptr; unsigned long l; + errno = 0; l = strtoul(value, &endptr, 0); if (*endptr || endptr == value From builds at travis-ci.org Sun Apr 3 19:59:33 2016 From: builds at travis-ci.org (Travis CI) Date: Sun, 03 Apr 2016 19:59:33 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3202 (master - c3a7e0c) In-Reply-To: Message-ID: <57017624e8e41_33fea498fc8e8631929@4ba6f9de-f08c-4cd1-8e44-5431073b6adf.mail> Build Update for openssl/openssl ------------------------------------- Build: #3202 Status: Still Failing Duration: 17 minutes and 7 seconds Commit: c3a7e0c (master) Author: Viktor Dukhovni Message: After saving errno clear it before calls to strtol et. al. Reviewed-by: Richard Levitte View the changeset: https://github.com/openssl/openssl/compare/bb3bdf0507ac...c3a7e0c565c5 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120475524 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Apr 3 20:16:08 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 03 Apr 2016 20:16:08 +0000 Subject: [openssl-commits] Build failed: openssl master.2520 Message-ID: <20160403201607.94584.62232.A6EDE0E1@appveyor.com> An HTML attachment was scrubbed... URL: From viktor at openssl.org Sun Apr 3 21:14:34 2016 From: viktor at openssl.org (Viktor Dukhovni) Date: Sun, 03 Apr 2016 21:14:34 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459718074.173296.25753.nullmailer@dev.openssl.org> The branch master has been updated via 51f6d88420f9289e8b3b395a709e1a0aedc8e163 (commit) from c3a7e0c565c5d41e7d9b910a45c2248c2f3d5152 (commit) - Log ----------------------------------------------------------------- commit 51f6d88420f9289e8b3b395a709e1a0aedc8e163 Author: Andy Polyakov Date: Fri Apr 1 18:17:01 2016 +0200 apps/Makefile.in: add tsget rule. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/Makefile.in | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apps/Makefile.in b/apps/Makefile.in index 064496b..d2ec0c7 100644 --- a/apps/Makefile.in +++ b/apps/Makefile.in @@ -151,5 +151,9 @@ CA.pl: CA.pl.in $(PERL) -I$(TOP) -Mconfigdata $(TOP)/util/dofile.pl -oapps/Makefile CA.pl.in > CA.pl.new mv CA.pl.new CA.pl +tsget: tsget.in + $(PERL) -I$(TOP) -Mconfigdata $(TOP)/util/dofile.pl -oapps/Makefile tsget.in > tsget.new + mv tsget.new tsget + # DO NOT DELETE THIS LINE -- make depend depends on it. From no-reply at appveyor.com Sun Apr 3 21:16:02 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 03 Apr 2016 21:16:02 +0000 Subject: [openssl-commits] Build failed: openssl master.2521 Message-ID: <20160403211602.9962.58129.1ABFFA65@appveyor.com> An HTML attachment was scrubbed... URL: From builds at travis-ci.org Sun Apr 3 21:49:51 2016 From: builds at travis-ci.org (Travis CI) Date: Sun, 03 Apr 2016 21:49:51 +0000 Subject: [openssl-commits] Still Failing: FdaSilvaYY/openssl#381 (31-03-add-option-help-details - 69e4b84) In-Reply-To: Message-ID: <57018ffe7f020_33fef268b8b48372854@369c6fd5-d812-4bbf-9591-0d8ce71b759f.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #381 Status: Still Failing Duration: 27 minutes and 38 seconds Commit: 69e4b84 (31-03-add-option-help-details) Author: FdaSilvaYY Message: Add help message to some progs options. View the changeset: https://github.com/FdaSilvaYY/openssl/compare/18059927d421...69e4b84c3cec View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120488583 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Sun Apr 3 21:53:29 2016 From: builds at travis-ci.org (Travis CI) Date: Sun, 03 Apr 2016 21:53:29 +0000 Subject: [openssl-commits] Canceled: FdaSilvaYY/openssl#382 (spelling2 - ba9aeb3) In-Reply-To: Message-ID: <570190d979abb_33fd7d9c3a820702573@694cf71e-bcf3-4553-996b-8dc0b413541f.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #382 Status: Canceled Duration: 0 seconds Commit: ba9aeb3 (spelling2) Author: FdaSilvaYY Message: various spelling fixes View the changeset: https://github.com/FdaSilvaYY/openssl/compare/33b66a82013e...ba9aeb3fe36f View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120488625 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Apr 3 22:05:12 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 03 Apr 2016 22:05:12 +0000 Subject: [openssl-commits] Build failed: openssl master.2522 Message-ID: <20160403220511.70513.73743.B0283136@appveyor.com> An HTML attachment was scrubbed... URL: From builds at travis-ci.org Sun Apr 3 22:16:00 2016 From: builds at travis-ci.org (Travis CI) Date: Sun, 03 Apr 2016 22:16:00 +0000 Subject: [openssl-commits] Errored: FdaSilvaYY/openssl#384 (crypto_mem_leaks - 72f2bc9) In-Reply-To: Message-ID: <570196208dcd0_33fea498d09507261a2@4ba6f9de-f08c-4cd1-8e44-5431073b6adf.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #384 Status: Errored Duration: 1 minute and 34 seconds Commit: 72f2bc9 (crypto_mem_leaks) Author: FdaSilvaYY Message: Add missing mem leak test activation and checks View the changeset: https://github.com/FdaSilvaYY/openssl/compare/13f68ce17f14...72f2bc94001d View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120488895 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Sun Apr 3 22:20:00 2016 From: builds at travis-ci.org (Travis CI) Date: Sun, 03 Apr 2016 22:20:00 +0000 Subject: [openssl-commits] Still Failing: FdaSilvaYY/openssl#383 (ex_data-fixes - 278dac4) In-Reply-To: Message-ID: <5701970f6b856_33fef1fa386c83936bd@369c6fd5-d812-4bbf-9591-0d8ce71b759f.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #383 Status: Still Failing Duration: 18 minutes and 8 seconds Commit: 278dac4 (ex_data-fixes) Author: FdaSilvaYY Message: Add checks on CRYPTO_new_ex_data return value, adapted to new multi-threading API changes. Once reference, lock, meth, and flag fields are setup, DSA_free/DH_free can be called directly. View the changeset: https://github.com/FdaSilvaYY/openssl/compare/a09b1b65e6d4...278dac43f97c View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120488726 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From levitte at openssl.org Sun Apr 3 22:25:27 2016 From: levitte at openssl.org (Richard Levitte) Date: Sun, 03 Apr 2016 22:25:27 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459722327.987827.22769.nullmailer@dev.openssl.org> The branch master has been updated via 68cd4e3f993cf16adf0904a85f5b477a0094c1cf (commit) from 51f6d88420f9289e8b3b395a709e1a0aedc8e163 (commit) - Log ----------------------------------------------------------------- commit 68cd4e3f993cf16adf0904a85f5b477a0094c1cf Author: Richard Levitte Date: Sun Apr 3 14:11:12 2016 +0200 Makefile et al template: only modify static library with new object files Previously, we updated the static libraries (libcrypto.a on Unix, libcrypto.lib on Windows) with all the object files, regardless of if they were rebuilt or not. With this change, we only update them with the object files were rebuilt. NOTE: this does not apply on VMS, as the expansion of $? may be too large for a command line. Reviewed-by: Andy Polyakov ----------------------------------------------------------------------- Summary of changes: Configurations/unix-Makefile.tmpl | 2 +- Configurations/windows-makefile.tmpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 5b9a23f..8da9a4c 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -981,7 +981,7 @@ EOF my $objs = join(" ", map { $_.$objext } @{$args{objs}}); return <<"EOF"; $lib$libext: $objs - \$(AR) \$\@ $objs + \$(AR) \$\@ \$\? \$(RANLIB) \$\@ || echo Never mind. EOF } diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index 00149c3..b4672ab 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -404,7 +404,7 @@ EOF return <<"EOF"; $lib$libext: $deps \$(AR) \$(ARFLAGS) \$(AROUTFLAG)$lib$libext @<< -$objs +\$\? << EOF } From levitte at openssl.org Sun Apr 3 22:26:43 2016 From: levitte at openssl.org (Richard Levitte) Date: Sun, 03 Apr 2016 22:26:43 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459722403.332482.23769.nullmailer@dev.openssl.org> The branch master has been updated via adb4076ae06dd6ff01a62b1fcd73f02aadc5ecae (commit) from 68cd4e3f993cf16adf0904a85f5b477a0094c1cf (commit) - Log ----------------------------------------------------------------- commit adb4076ae06dd6ff01a62b1fcd73f02aadc5ecae Author: Richard Levitte Date: Mon Apr 4 00:11:20 2016 +0200 Don't shadow known symbols write, read, puts, gets It was harmless in this case, but best avoid the annoying warnings. Reviewed-by: Matt Caswell Reviewed-by: Viktor Dukhovni ----------------------------------------------------------------------- Summary of changes: crypto/bio/bio_meth.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/crypto/bio/bio_meth.c b/crypto/bio/bio_meth.c index 134c448..88ce8c3 100644 --- a/crypto/bio/bio_meth.c +++ b/crypto/bio/bio_meth.c @@ -76,9 +76,9 @@ int (*BIO_meth_get_write(BIO_METHOD *biom)) (BIO *, const char *, int) } int BIO_meth_set_write(BIO_METHOD *biom, - int (*write) (BIO *, const char *, int)) + int (*bwrite) (BIO *, const char *, int)) { - biom->bwrite = write; + biom->bwrite = bwrite; return 1; } @@ -88,9 +88,9 @@ int (*BIO_meth_get_read(BIO_METHOD *biom)) (BIO *, char *, int) } int BIO_meth_set_read(BIO_METHOD *biom, - int (*read) (BIO *, char *, int)) + int (*bread) (BIO *, char *, int)) { - biom->bread = read; + biom->bread = bread; return 1; } @@ -100,9 +100,9 @@ int (*BIO_meth_get_puts(BIO_METHOD *biom)) (BIO *, const char *) } int BIO_meth_set_puts(BIO_METHOD *biom, - int (*puts) (BIO *, const char *)) + int (*bputs) (BIO *, const char *)) { - biom->bputs = puts; + biom->bputs = bputs; return 1; } @@ -112,9 +112,9 @@ int (*BIO_meth_get_gets(BIO_METHOD *biom)) (BIO *, char *, int) } int BIO_meth_set_gets(BIO_METHOD *biom, - int (*gets) (BIO *, char *, int)) + int (*bgets) (BIO *, char *, int)) { - biom->bgets = gets; + biom->bgets = bgets; return 1; } From builds at travis-ci.org Sun Apr 3 22:43:41 2016 From: builds at travis-ci.org (Travis CI) Date: Sun, 03 Apr 2016 22:43:41 +0000 Subject: [openssl-commits] Still Failing: FdaSilvaYY/openssl#385 (up_ref_api_unify - 7a92650) In-Reply-To: Message-ID: <57019c9c7493a_33fd7d9c3a6a4729146@694cf71e-bcf3-4553-996b-8dc0b413541f.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #385 Status: Still Failing Duration: 27 minutes and 51 seconds Commit: 7a92650 (up_ref_api_unify) Author: FdaSilvaYY Message: Unify _up_ref methods returned type Add a status return value. Update the docs. View the changeset: https://github.com/FdaSilvaYY/openssl/compare/500442af6055...7a926505d4c8 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120489183 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Apr 3 22:54:19 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 03 Apr 2016 22:54:19 +0000 Subject: [openssl-commits] Build failed: openssl master.2523 Message-ID: <20160403225418.28273.78442.2FCFB1C2@appveyor.com> An HTML attachment was scrubbed... URL: From builds at travis-ci.org Sun Apr 3 23:01:57 2016 From: builds at travis-ci.org (Travis CI) Date: Sun, 03 Apr 2016 23:01:57 +0000 Subject: [openssl-commits] Errored: FdaSilvaYY/openssl#387 (more-zalloc2 - af557d1) In-Reply-To: Message-ID: <5701a0e55df98_33fd7d9c3a820739117@694cf71e-bcf3-4553-996b-8dc0b413541f.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #387 Status: Errored Duration: 3 minutes and 31 seconds Commit: af557d1 (more-zalloc2) Author: FdaSilvaYY Message: Add more zalloc View the changeset: https://github.com/FdaSilvaYY/openssl/compare/7f41caf6b08f...af557d11c4a2 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120489465 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Sun Apr 3 23:13:21 2016 From: builds at travis-ci.org (Travis CI) Date: Sun, 03 Apr 2016 23:13:21 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3209 (master - 51f6d88) In-Reply-To: Message-ID: <5701a3918d300_33fea498fcdd47541ae@4ba6f9de-f08c-4cd1-8e44-5431073b6adf.mail> Build Update for openssl/openssl ------------------------------------- Build: #3209 Status: Still Failing Duration: 7 minutes and 3 seconds Commit: 51f6d88 (master) Author: Andy Polyakov Message: apps/Makefile.in: add tsget rule. Reviewed-by: Richard Levitte View the changeset: https://github.com/openssl/openssl/compare/c3a7e0c565c5...51f6d88420f9 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120491023 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Sun Apr 3 23:42:24 2016 From: no-reply at appveyor.com (AppVeyor) Date: Sun, 03 Apr 2016 23:42:24 +0000 Subject: [openssl-commits] Build failed: openssl master.2524 Message-ID: <20160403234224.49889.88472.432C6D67@appveyor.com> An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Apr 4 00:10:14 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 00:10:14 +0000 Subject: [openssl-commits] Still Failing: FdaSilvaYY/openssl#392 (X509_REQ_to_X509 - 15ecc82) In-Reply-To: Message-ID: <5701b0e61e89e_33fef268b2b084634d3@369c6fd5-d812-4bbf-9591-0d8ce71b759f.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #392 Status: Still Failing Duration: 28 minutes and 20 seconds Commit: 15ecc82 (X509_REQ_to_X509) Author: FdaSilvaYY Message: Fix a possible leak on NETSCAPE_SPKI_verify failure. View the changeset: https://github.com/FdaSilvaYY/openssl/compare/17f1622db764...15ecc829f502 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120495746 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 00:38:01 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 00:38:01 +0000 Subject: [openssl-commits] Build failed: openssl master.2525 Message-ID: <20160404003801.28267.19625.B2AD4DD9@appveyor.com> An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Apr 4 00:44:02 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 00:44:02 +0000 Subject: [openssl-commits] Still Failing: FdaSilvaYY/openssl#394 (31-03-add-option-help-details - ba821e5) In-Reply-To: Message-ID: <5701b8d11cd8d_33fef1fa38c684820b1@369c6fd5-d812-4bbf-9591-0d8ce71b759f.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #394 Status: Still Failing Duration: 22 minutes and 53 seconds Commit: ba821e5 (31-03-add-option-help-details) Author: FdaSilvaYY Message: Add help message to some progs options. View the changeset: https://github.com/FdaSilvaYY/openssl/compare/69e4b84c3cec...ba821e5b6964 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120496280 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Apr 4 00:44:29 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 00:44:29 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3216 (master - 68cd4e3) In-Reply-To: Message-ID: <5701b8eea7c1a_33fd7dd27be9877651b@694cf71e-bcf3-4553-996b-8dc0b413541f.mail> Build Update for openssl/openssl ------------------------------------- Build: #3216 Status: Still Failing Duration: 23 minutes and 53 seconds Commit: 68cd4e3 (master) Author: Richard Levitte Message: Makefile et al template: only modify static library with new object files Previously, we updated the static libraries (libcrypto.a on Unix, libcrypto.lib on Windows) with all the object files, regardless of if they were rebuilt or not. With this change, we only update them with the object files were rebuilt. NOTE: this does not apply on VMS, as the expansion of $? may be too large for a command line. Reviewed-by: Andy Polyakov View the changeset: https://github.com/openssl/openssl/compare/51f6d88420f9...68cd4e3f993c View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120501156 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Apr 4 01:04:05 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 01:04:05 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3217 (master - adb4076) In-Reply-To: Message-ID: <5701bd8435fd8_33fd7dd975ca878372e@694cf71e-bcf3-4553-996b-8dc0b413541f.mail> Build Update for openssl/openssl ------------------------------------- Build: #3217 Status: Still Failing Duration: 6 minutes and 19 seconds Commit: adb4076 (master) Author: Richard Levitte Message: Don't shadow known symbols write, read, puts, gets It was harmless in this case, but best avoid the annoying warnings. Reviewed-by: Matt Caswell Reviewed-by: Viktor Dukhovni View the changeset: https://github.com/openssl/openssl/compare/68cd4e3f993c...adb4076ae06d View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120501339 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Apr 4 01:05:35 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 01:05:35 +0000 Subject: [openssl-commits] Still Failing: FdaSilvaYY/openssl#395 (spelling2 - 38fa327) In-Reply-To: Message-ID: <5701bddebe633_33fd0d32393381214b8@dbfa9a30-2cac-424c-81ea-3cb1521c4ab5.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #395 Status: Still Failing Duration: 26 minutes and 28 seconds Commit: 38fa327 (spelling2) Author: FdaSilvaYY Message: various spelling fixes View the changeset: https://github.com/FdaSilvaYY/openssl/compare/ba9aeb3fe36f...38fa327a6e57 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120496392 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Apr 4 01:29:15 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 01:29:15 +0000 Subject: [openssl-commits] Still Failing: FdaSilvaYY/openssl#396 (crypto_mem_leaks - 4be2ee8) In-Reply-To: Message-ID: <5701c36af1423_33fd0da0b87dc1302c0@dbfa9a30-2cac-424c-81ea-3cb1521c4ab5.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #396 Status: Still Failing Duration: 20 minutes and 17 seconds Commit: 4be2ee8 (crypto_mem_leaks) Author: FdaSilvaYY Message: Add missing mem leak test activation and checks View the changeset: https://github.com/FdaSilvaYY/openssl/compare/72f2bc94001d...4be2ee8f67b3 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120496464 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 01:32:58 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 01:32:58 +0000 Subject: [openssl-commits] Build failed: openssl master.2526 Message-ID: <20160404013258.9108.8306.7C31A402@appveyor.com> An HTML attachment was scrubbed... URL: From viktor at openssl.org Mon Apr 4 01:49:40 2016 From: viktor at openssl.org (Viktor Dukhovni) Date: Mon, 04 Apr 2016 01:49:40 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459734580.296947.25179.nullmailer@dev.openssl.org> The branch master has been updated via ae6c553ecaa915d2689e66d68ac0965beba31e53 (commit) from adb4076ae06dd6ff01a62b1fcd73f02aadc5ecae (commit) - Log ----------------------------------------------------------------- commit ae6c553ecaa915d2689e66d68ac0965beba31e53 Author: Viktor Dukhovni Date: Sun Apr 3 20:58:09 2016 -0400 Fix mixed declarations and code Reviewed-by: Dr. Stephen Henson ----------------------------------------------------------------------- Summary of changes: apps/dsaparam.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/dsaparam.c b/apps/dsaparam.c index 64e92ae..5c282be 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -264,13 +264,14 @@ int dsaparam_main(int argc, char **argv) if (C) { BIGNUM *p = NULL, *q = NULL, *g = NULL; + unsigned char *data; int len, bits_p; DSA_get0_pqg(dsa, &p, &q, &g); len = BN_num_bytes(p); bits_p = BN_num_bits(p); - unsigned char *data = app_malloc(len + 20, "BN space"); + data = app_malloc(len + 20, "BN space"); BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p); print_bignum_var(bio_out, p, "dsap", len, data); From builds at travis-ci.org Mon Apr 4 01:49:44 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 01:49:44 +0000 Subject: [openssl-commits] Still Failing: FdaSilvaYY/openssl#397 (more-zalloc2 - 75fc8f0) In-Reply-To: Message-ID: <5701c837f2317_33fd0da0bcae41390c9@dbfa9a30-2cac-424c-81ea-3cb1521c4ab5.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #397 Status: Still Failing Duration: 7 minutes and 54 seconds Commit: 75fc8f0 (more-zalloc2) Author: FdaSilvaYY Message: Add more zalloc View the changeset: https://github.com/FdaSilvaYY/openssl/compare/af557d11c4a2...75fc8f00e00d View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120496625 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Apr 4 02:12:33 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 02:12:33 +0000 Subject: [openssl-commits] Fixed: openssl/openssl#3220 (master - ae6c553) In-Reply-To: Message-ID: <5701cd91a72b7_33fef236fe10c52424e@369c6fd5-d812-4bbf-9591-0d8ce71b759f.mail> Build Update for openssl/openssl ------------------------------------- Build: #3220 Status: Fixed Duration: 22 minutes and 28 seconds Commit: ae6c553 (master) Author: Viktor Dukhovni Message: Fix mixed declarations and code Reviewed-by: Dr. Stephen Henson View the changeset: https://github.com/openssl/openssl/compare/adb4076ae06d...ae6c553ecaa9 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120523299 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 02:26:14 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 02:26:14 +0000 Subject: [openssl-commits] Build failed: openssl master.2527 Message-ID: <20160404022613.97865.22360.5778B377@appveyor.com> An HTML attachment was scrubbed... URL: From rsalz at openssl.org Mon Apr 4 02:33:25 2016 From: rsalz at openssl.org (Rich Salz) Date: Mon, 04 Apr 2016 02:33:25 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459737205.404326.19814.nullmailer@dev.openssl.org> The branch master has been updated via b5851bbc43dcf497189d16395dfa925d1562ee06 (commit) from ae6c553ecaa915d2689e66d68ac0965beba31e53 (commit) - Log ----------------------------------------------------------------- commit b5851bbc43dcf497189d16395dfa925d1562ee06 Author: Micha? Trojnara Date: Sun Apr 3 20:01:09 2016 +0200 Removed no-ops for the old locking API Reviewed-by: Matt Caswell Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: include/openssl/crypto.h | 32 ++++++++------------------------ 1 file changed, 8 insertions(+), 24 deletions(-) diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h index 980389b..d775e9e 100644 --- a/include/openssl/crypto.h +++ b/include/openssl/crypto.h @@ -159,12 +159,6 @@ extern "C" { # define SSLEAY_PLATFORM OPENSSL_PLATFORM # define SSLEAY_DIR OPENSSL_DIR -# define CRYPTO_w_lock(a) -# define CRYPTO_w_unlock(a) -# define CRYPTO_r_lock(a) -# define CRYPTO_r_unlock(a) -# define CRYPTO_add(a,b,c) ((*(a))+=(b)) - /* * Old type for allocating dynamic locks. No longer used. Use the new thread * API instead. @@ -311,19 +305,16 @@ void CRYPTO_cleanup_all_ex_data(void); # if OPENSSL_API_COMPAT < 0x10100000L /* - * These are the functions for the old threading API. These are all now no-ops - * and should not be used. + * The old locking functions have been removed completely without compatibility + * macros. This is because the old functions either could not properly report + * errors, or the returned error values were not clearly documented. + * Replacing the locking functions with with no-ops would cause race condition + * issues in the affected applications. It is far better for them to fail at + * compile time. + * On the other hand, the locking callbacks are no longer used. Consequently, + * the callback management functions can be safely replaced with no-op macros. */ -# define CRYPTO_get_new_lockid(name) (0) # define CRYPTO_num_locks() (0) -/* - * The old CRYPTO_lock() function has been removed completely without a - * compatibility macro. This is because previously it could not return an error - * response, but if any applications are using this they will not work and could - * fail in strange ways. Better for them to fail at compile time. - * - * void CRYPTO_lock(int mode, int type, const char *file, int line); - */ # define CRYPTO_set_locking_callback(func) # define CRYPTO_get_locking_callback() (NULL) # define CRYPTO_set_add_lock_callback(func) @@ -349,13 +340,6 @@ typedef struct crypto_threadid_st { # define CRYPTO_thread_id() (0UL) # endif /* OPENSSL_API_COMPAT < 0x10000000L */ -# define CRYPTO_get_lock_name(type) (NULL) -# define CRYPTO_add_lock(pointer, amount, type, file, line) \ - (0) - -# define CRYPTO_get_new_dynlockid() (0) -# define CRYPTO_destroy_dynlockid(i) -# define CRYPTO_get_dynlock_value(i) (NULL) # define CRYPTO_set_dynlock_create_callback(dyn_create_function) # define CRYPTO_set_dynlock_lock_callback(dyn_lock_function) # define CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function) From no-reply at appveyor.com Mon Apr 4 03:23:57 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 03:23:57 +0000 Subject: [openssl-commits] Build failed: openssl master.2528 Message-ID: <20160404032357.49899.58849.25637594@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 04:14:41 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 04:14:41 +0000 Subject: [openssl-commits] Build failed: openssl master.2529 Message-ID: <20160404041440.97847.66877.4BB21038@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 05:02:24 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 05:02:24 +0000 Subject: [openssl-commits] Build failed: openssl master.2530 Message-ID: <20160404050215.49891.26629.B542AB1C@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 05:51:37 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 05:51:37 +0000 Subject: [openssl-commits] Build failed: openssl master.2531 Message-ID: <20160404055137.28265.18676.42A3DCEB@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 06:42:36 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 06:42:36 +0000 Subject: [openssl-commits] Build failed: openssl master.2532 Message-ID: <20160404064236.70497.88936.24243B8F@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 07:35:51 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 07:35:51 +0000 Subject: [openssl-commits] Build failed: openssl master.2533 Message-ID: <20160404073551.32761.17346.0085F549@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 08:29:11 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 08:29:11 +0000 Subject: [openssl-commits] Build failed: openssl master.2534 Message-ID: <20160404082901.94588.41754.221E7D69@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 09:24:29 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 09:24:29 +0000 Subject: [openssl-commits] Build failed: openssl master.2535 Message-ID: <20160404092428.9990.73265.091AEECC@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 10:13:33 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 10:13:33 +0000 Subject: [openssl-commits] Build failed: openssl master.2536 Message-ID: <20160404101333.9978.94799.E39CE1ED@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 11:13:14 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 11:13:14 +0000 Subject: [openssl-commits] Build failed: openssl master.2537 Message-ID: <20160404111314.32745.58798.C565E990@appveyor.com> An HTML attachment was scrubbed... URL: From emilia at openssl.org Mon Apr 4 11:26:27 2016 From: emilia at openssl.org (Emilia Kasper) Date: Mon, 04 Apr 2016 11:26:27 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459769187.381512.15113.nullmailer@dev.openssl.org> The branch master has been updated via 1400f013e10c8ec624947d9187bebb20274385dc (commit) from b5851bbc43dcf497189d16395dfa925d1562ee06 (commit) - Log ----------------------------------------------------------------- commit 1400f013e10c8ec624947d9187bebb20274385dc Author: Emilia Kasper Date: Wed Mar 30 22:37:05 2016 +0200 Fix memory leaks in ASN.1 These leaks affect 1.1.0 dev branch only; introduced around commit f93ad22f6adb00e722c130e792799467f3927b56 Found with LibFuzzer Reviewed-by: Ben Laurie ----------------------------------------------------------------------- Summary of changes: crypto/asn1/tasn_dec.c | 9 ++- test/Makefile.in | 10 +++- test/build.info | 6 +- test/d2i-tests/bad_cert.der | Bin 0 -> 1007 bytes test/d2i-tests/bad_generalname.der | 1 + test/d2i_test.c | 117 +++++++++++++++++++++++++++++++++++++ test/recipes/25-test_d2i.t | 19 ++++++ 7 files changed, 157 insertions(+), 5 deletions(-) create mode 100644 test/d2i-tests/bad_cert.der create mode 100644 test/d2i-tests/bad_generalname.der create mode 100644 test/d2i_test.c create mode 100644 test/recipes/25-test_d2i.t diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index b025e58..5715921 100644 --- a/crypto/asn1/tasn_dec.c +++ b/crypto/asn1/tasn_dec.c @@ -273,6 +273,12 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in, /* If field not present, try the next one */ if (ret == -1) continue; + /* + * Set the choice selector here to ensure that the value is + * correctly freed upon error. It may be partially initialized + * even if parsing failed. + */ + asn1_set_choice_selector(pval, i, it); /* If positive return, read OK, break loop */ if (ret > 0) break; @@ -294,7 +300,6 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in, goto err; } - asn1_set_choice_selector(pval, i, it); if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) goto auxerr; *in = p; @@ -617,6 +622,8 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); + /* |skfield| may be partially allocated despite failure. */ + ASN1_item_free(skfield, ASN1_ITEM_ptr(tt->item)); goto err; } len -= p - q; diff --git a/test/Makefile.in b/test/Makefile.in index e10af0b..ee66729 100644 --- a/test/Makefile.in +++ b/test/Makefile.in @@ -84,6 +84,7 @@ DTLSV1LISTENTEST = dtlsv1listentest CTTEST= ct_test THREADSTEST= threadstest AFALGTEST= afalgtest +D2ITEST = d2i_test TESTS= alltests @@ -106,7 +107,7 @@ EXE= $(NPTEST)$(EXE_EXT) $(MEMLEAKTEST)$(EXE_EXT) \ $(CONSTTIMETEST)$(EXE_EXT) $(VERIFYEXTRATEST)$(EXE_EXT) \ $(CLIENTHELLOTEST)$(EXE_EXT) $(PACKETTEST)$(EXE_EXT) $(ASYNCTEST)$(EXE_EXT) \ $(DTLSV1LISTENTEST)$(EXE_EXT) $(CTTEST)$(EXE_EXT) $(THREADSTEST)$(EXE_EXT) \ - $(AFALGTEST)$(EXE_EXT) + $(AFALGTEST)$(EXE_EXT) $(D2ITEST)$(EXE_EXT) # $(METHTEST)$(EXE_EXT) @@ -124,7 +125,7 @@ OBJ= $(NPTEST).o $(MEMLEAKTEST).o \ $(HEARTBEATTEST).o $(P5_CRPT2_TEST).o \ $(CONSTTIMETEST).o $(VERIFYEXTRATEST).o $(CLIENTHELLOTEST).o \ $(PACKETTEST).o $(ASYNCTEST).o $(DTLSV1LISTENTEST).o $(CTTEST).o \ - $(THREADSTEST).o testutil.o $(AFALGTEST).o + $(THREADSTEST).o testutil.o $(AFALGTEST).o $(D2ITEST).o SRC= $(NPTEST).c $(MEMLEAKTEST).c \ $(BNTEST).c $(ECTEST).c \ @@ -139,7 +140,7 @@ SRC= $(NPTEST).c $(MEMLEAKTEST).c \ $(HEARTBEATTEST).c $(P5_CRPT2_TEST).c \ $(CONSTTIMETEST).c $(VERIFYEXTRATEST).c $(CLIENTHELLOTEST).c \ $(PACKETTEST).c $(ASYNCTEST).c $(DTLSV1LISTENTEST).c $(CTTEST).c \ - $(THREADSTEST).c testutil.c $(AFALGTEST).c + $(THREADSTEST).c testutil.c $(AFALGTEST).c $(D2ITEST).c HEADER= testutil.h @@ -385,4 +386,7 @@ dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO) $(AFALGTEST)$(EXE_EXT): $(AFALGTEST).o $(DLIBCRYPTO) @target=$(AFALGTEST); $(BUILD_CMD) +$(D2ITEST)$(EXE_EXT): $(D2ITEST).o $(DLIBCRYPTO) testutil.o + @target=$(D2ITEST) testutil=testutil.o; $(BUILD_CMD) + # DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/test/build.info b/test/build.info index 74f83a3..083412c 100644 --- a/test/build.info +++ b/test/build.info @@ -14,7 +14,7 @@ PROGRAMS=\ danetest heartbeat_test p5_crpt2_test \ constant_time_test verify_extra_test clienthellotest \ packettest asynctest secmemtest srptest memleaktest \ - dtlsv1listentest ct_test threadstest afalgtest + dtlsv1listentest ct_test threadstest afalgtest d2i_test SOURCE[aborttest]=aborttest.c INCLUDE[aborttest]={- rel2abs(catdir($builddir,"../include")) -} ../include @@ -220,4 +220,8 @@ SOURCE[afalgtest]=afalgtest.c INCLUDE[afalgtest]={- rel2abs(catdir($builddir,"../include")) -} .. ../include DEPEND[afalgtest]=../libcrypto +SOURCE[d2i_test]=d2i_test.c testutil.c +INCLUDE[d2i_test]={- rel2abs(catdir($builddir,"../include")) -} .. ../include +DEPEND[d2i_test]=../libcrypto + INCLUDE[testutil.o]=.. diff --git a/test/d2i-tests/bad_cert.der b/test/d2i-tests/bad_cert.der new file mode 100644 index 0000000..f75efad Binary files /dev/null and b/test/d2i-tests/bad_cert.der differ diff --git a/test/d2i-tests/bad_generalname.der b/test/d2i-tests/bad_generalname.der new file mode 100644 index 0000000..af45855 --- /dev/null +++ b/test/d2i-tests/bad_generalname.der @@ -0,0 +1 @@ +??0;?!;)''??!l?(,:??(*;?:???:?*?*;i)*w*?)?;U:'):?;l*!'?? \ No newline at end of file diff --git a/test/d2i_test.c b/test/d2i_test.c new file mode 100644 index 0000000..cf01012 --- /dev/null +++ b/test/d2i_test.c @@ -0,0 +1,117 @@ +/* + * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL licenses, (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * https://www.openssl.org/source/license.html + * or in the file LICENSE in the source distribution. + */ + +/* Regression tests for ASN.1 parsing bugs. */ + +#include +#include + +#include "testutil.h" + +#include +#include +#include +#include +#include + +static const ASN1_ITEM *item_type; +static const char *test_file; + +typedef struct d2i_test_fixture { + const char *test_case_name; +} D2I_TEST_FIXTURE; + + +static D2I_TEST_FIXTURE set_up(const char *const test_case_name) +{ + D2I_TEST_FIXTURE fixture; + fixture.test_case_name = test_case_name; + return fixture; +} + +static int execute_test(D2I_TEST_FIXTURE fixture) +{ + BIO *bio = NULL; + ASN1_VALUE *value = NULL; + int ret = 1; + unsigned char buf[2048]; + const unsigned char *buf_ptr = buf; + int len; + + if ((bio = BIO_new_file(test_file, "r")) == NULL) + return 1; + + /* + * We don't use ASN1_item_d2i_bio because it, apparently, + * errors too early for some inputs. + */ + len = BIO_read(bio, buf, sizeof buf); + if (len < 0) + goto err; + + value = ASN1_item_d2i(NULL, &buf_ptr, len, item_type); + if (value != NULL) + goto err; + + ret = 0; + + err: + BIO_free(bio); + ASN1_item_free(value, item_type); + return ret; +} + +static void tear_down(D2I_TEST_FIXTURE fixture) +{ + ERR_print_errors_fp(stderr); +} + +#define SETUP_D2I_TEST_FIXTURE() \ + SETUP_TEST_FIXTURE(D2I_TEST_FIXTURE, set_up) + +#define EXECUTE_D2I_TEST() \ + EXECUTE_TEST(execute_test, tear_down) + +static int test_bad_asn1() +{ + SETUP_D2I_TEST_FIXTURE(); + EXECUTE_D2I_TEST(); +} + +/* + * Usage: d2i_test , e.g. + * d2i_test generalname bad_generalname.der + */ +int main(int argc, char **argv) +{ + int result = 0; + const char *test_type_name; + + if (argc != 3) + return 1; + + test_type_name = argv[1]; + test_file = argv[2]; + + if (strcmp(test_type_name, "generalname") == 0) { + item_type = ASN1_ITEM_rptr(GENERAL_NAME); + } else if (strcmp(test_type_name, "x509") == 0) { + item_type = ASN1_ITEM_rptr(X509); + } else { + fprintf(stderr, "Bad type %s\n", test_type_name); + return 1; + } + + ADD_TEST(test_bad_asn1); + + result = run_tests(argv[0]); + + return result; +} diff --git a/test/recipes/25-test_d2i.t b/test/recipes/25-test_d2i.t new file mode 100644 index 0000000..a9c259d --- /dev/null +++ b/test/recipes/25-test_d2i.t @@ -0,0 +1,19 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_d2i"); + +plan tests => 2; + +ok(run(test(["d2i_test", "x509", + srctop_file('test','d2i-tests','bad_cert.der')])), + "Running d2i_test bad_cert.der"); + +ok(run(test(["d2i_test", "generalname", + srctop_file('test','d2i-tests','bad_generalname.der')])), + "Running d2i_test bad_generalname.der"); From no-reply at appveyor.com Mon Apr 4 12:06:09 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 12:06:09 +0000 Subject: [openssl-commits] Build failed: openssl master.2538 Message-ID: <20160404120605.62141.28162.96869C2D@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 12:55:45 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 12:55:45 +0000 Subject: [openssl-commits] Build failed: openssl master.2539 Message-ID: <20160404125545.32737.46189.52D3E87A@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 13:44:20 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 13:44:20 +0000 Subject: [openssl-commits] Build failed: openssl master.2540 Message-ID: <20160404134349.97849.26372.A11834C2@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 14:39:54 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 14:39:54 +0000 Subject: [openssl-commits] Build failed: openssl master.2541 Message-ID: <20160404143952.97841.32770.16D9ECCA@appveyor.com> An HTML attachment was scrubbed... URL: From appro at openssl.org Mon Apr 4 14:57:13 2016 From: appro at openssl.org (Andy Polyakov) Date: Mon, 04 Apr 2016 14:57:13 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459781833.025362.2002.nullmailer@dev.openssl.org> The branch master has been updated via 4b8736a22e758c371bc2f8b3534dc0c274acf42c (commit) from 1400f013e10c8ec624947d9187bebb20274385dc (commit) - Log ----------------------------------------------------------------- commit 4b8736a22e758c371bc2f8b3534dc0c274acf42c Author: Andy Polyakov Date: Tue Mar 29 10:02:45 2016 +0200 crypto/poly1305: don't break carry chains. RT#4483 [poly1305-armv4.pl: remove redundant #ifdef __thumb2__] [poly1305-ppc*.pl: presumably more accurate benchmark results] Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: crypto/poly1305/asm/poly1305-armv4.pl | 34 +++---------- crypto/poly1305/asm/poly1305-armv8.pl | 18 ++++--- crypto/poly1305/asm/poly1305-c64xplus.pl | 15 +++--- crypto/poly1305/asm/poly1305-ppc.pl | 11 +++-- crypto/poly1305/asm/poly1305-ppcfp.pl | 4 +- crypto/poly1305/asm/poly1305-s390x.pl | 7 +-- crypto/poly1305/asm/poly1305-sparcv9.pl | 15 +++--- crypto/poly1305/asm/poly1305-x86.pl | 10 ++-- crypto/poly1305/asm/poly1305-x86_64.pl | 24 +++++---- crypto/poly1305/poly1305.c | 84 +++++++++++++++++++++++++++++--- 10 files changed, 146 insertions(+), 76 deletions(-) diff --git a/crypto/poly1305/asm/poly1305-armv4.pl b/crypto/poly1305/asm/poly1305-armv4.pl index 4c4b417..aa3f228 100755 --- a/crypto/poly1305/asm/poly1305-armv4.pl +++ b/crypto/poly1305/asm/poly1305-armv4.pl @@ -10,10 +10,10 @@ # IALU(*)/gcc-4.4 NEON # # ARM11xx(ARMv6) 7.78/+100% - -# Cortex-A5 6.30/+130% 2.96 +# Cortex-A5 6.35/+130% 2.96 # Cortex-A8 6.25/+115% 2.36 # Cortex-A9 5.10/+95% 2.55 -# Cortex-A15 3.79/+85% 1.25(**) +# Cortex-A15 3.85/+85% 1.25(**) # Snapdragon S4 5.70/+100% 1.48(**) # # (*) this is for -march=armv6, i.e. with bunch of ldrb loading data; @@ -313,7 +313,8 @@ poly1305_blocks: adds $h0,$h0,r1 adcs $h1,$h1,#0 adcs $h2,$h2,#0 - adc $h3,$h3,#0 + adcs $h3,$h3,#0 + adc $h4,$h4,#0 cmp r0,lr @ done yet? bhi .Loop @@ -735,9 +736,7 @@ poly1305_blocks_neon: .align 4 .Leven: subs $len,$len,#64 -# ifdef __thumb2__ it lo -# endif movlo $in2,$zeros vmov.i32 $H4,#1<<24 @ padbit, yes, always @@ -745,9 +744,7 @@ poly1305_blocks_neon: add $inp,$inp,#64 vld4.32 {$H0#hi,$H1#hi,$H2#hi,$H3#hi},[$in2] @ inp[2:3] (or 0) add $in2,$in2,#64 -# ifdef __thumb2__ itt hi -# endif addhi $tbl1,$ctx,#(48+1*9*4) addhi $tbl0,$ctx,#(48+3*9*4) @@ -817,9 +814,7 @@ poly1305_blocks_neon: vmull.u32 $D4,$H4#hi,${R0}[1] subs $len,$len,#64 vmlal.u32 $D0,$H4#hi,${S1}[1] -# ifdef __thumb2__ it lo -# endif movlo $in2,$zeros vmlal.u32 $D3,$H2#hi,${R1}[1] vld1.32 ${S4}[1],[$tbl1,:32] @@ -946,9 +941,7 @@ poly1305_blocks_neon: add $tbl1,$ctx,#(48+0*9*4) add $tbl0,$ctx,#(48+1*9*4) adds $len,$len,#32 -# ifdef __thumb2__ it ne -# endif movne $len,#0 bne .Long_tail @@ -990,14 +983,10 @@ poly1305_blocks_neon: vmlal.u32 $D2,$H0#hi,$R2 vmlal.u32 $D3,$H0#hi,$R3 -# ifdef __thumb2__ - it ne -# endif + it ne addne $tbl1,$ctx,#(48+2*9*4) vmlal.u32 $D0,$H2#hi,$S3 -# ifdef __thumb2__ - it ne -# endif + it ne addne $tbl0,$ctx,#(48+3*9*4) vmlal.u32 $D4,$H1#hi,$R3 vmlal.u32 $D1,$H3#hi,$S3 @@ -1138,7 +1127,8 @@ poly1305_emit_neon: adds $h0,$h0,$g0 adcs $h1,$h1,#0 adcs $h2,$h2,#0 - adc $h3,$h3,#0 + adcs $h3,$h3,#0 + adc $h4,$h4,#0 adds $g0,$h0,#5 @ compare to modulus adcs $g1,$h1,#0 @@ -1147,24 +1137,16 @@ poly1305_emit_neon: adc $g4,$h4,#0 tst $g4,#4 @ did it carry/borrow? -# ifdef __thumb2__ it ne -# endif movne $h0,$g0 ldr $g0,[$nonce,#0] -# ifdef __thumb2__ it ne -# endif movne $h1,$g1 ldr $g1,[$nonce,#4] -# ifdef __thumb2__ it ne -# endif movne $h2,$g2 ldr $g2,[$nonce,#8] -# ifdef __thumb2__ it ne -# endif movne $h3,$g3 ldr $g3,[$nonce,#12] diff --git a/crypto/poly1305/asm/poly1305-armv8.pl b/crypto/poly1305/asm/poly1305-armv8.pl index f1359fd..2e1dae3 100755 --- a/crypto/poly1305/asm/poly1305-armv8.pl +++ b/crypto/poly1305/asm/poly1305-armv8.pl @@ -16,10 +16,10 @@ # IALU/gcc-4.9 NEON # # Apple A7 1.86/+5% 0.72 -# Cortex-A53 2.63/+58% 1.47 +# Cortex-A53 2.69/+58% 1.47 # Cortex-A57 2.70/+7% 1.14 -# Denver 1.39/+50% 1.18(*) -# X-Gene 2.00/+68% 2.19 +# Denver 1.64/+50% 1.18(*) +# X-Gene 2.13/+68% 2.19 # # (*) estimate based on resources availability is less than 1.0, # i.e. measured result is worse than expected, presumably binary @@ -151,7 +151,8 @@ poly1305_blocks: and $h2,$d2,#3 add $t0,$t0,$d2,lsr#2 adds $h0,$d0,$t0 - adc $h1,$d1,xzr + adcs $h1,$d1,xzr + adc $h2,$h2,xzr cbnz $len,.Loop @@ -235,7 +236,8 @@ poly1305_mult: and $h2,$d2,#3 add $t0,$t0,$d2,lsr#2 adds $h0,$d0,$t0 - adc $h1,$d1,xzr + adcs $h1,$d1,xzr + adc $h2,$h2,xzr ret .size poly1305_mult,.-poly1305_mult @@ -310,7 +312,8 @@ poly1305_blocks_neon: and $h2,$d2,#3 add $t0,$t0,$d2,lsr#2 adds $h0,$h0,$t0 - adc $h1,$h1,xzr + adcs $h1,$h1,xzr + adc $h2,$h2,xzr #ifdef __ARMEB__ rev $d0,$d0 @@ -870,7 +873,8 @@ poly1305_emit_neon: add $d0,$d0,$h2,lsr#2 and $h2,$h2,#3 adds $h0,$h0,$d0 - adc $h1,$h1,xzr + adcs $h1,$h1,xzr + adc $h2,$h2,xzr adds $d0,$h0,#5 // compare to modulus adcs $d1,$h1,xzr diff --git a/crypto/poly1305/asm/poly1305-c64xplus.pl b/crypto/poly1305/asm/poly1305-c64xplus.pl index f750a6e..a7cf47d 100755 --- a/crypto/poly1305/asm/poly1305-c64xplus.pl +++ b/crypto/poly1305/asm/poly1305-c64xplus.pl @@ -11,7 +11,7 @@ # # October 2015 # -# Performance is [incredible for a 32-bit processor] 1.76 cycles per +# Performance is [incredible for a 32-bit processor] 1.82 cycles per # processed byte. Comparison to compiler-generated code is problematic, # because results were observed to vary from 2.1 to 7.6 cpb depending # on compiler's ability to inline small functions. Compiler also @@ -128,7 +128,7 @@ _poly1305_blocks: || SWAP2 $D1,$D1 ADDU $D0,B24,$D0:$H0 ; h0+=inp[0] -|| ADD $D0,B24,B31 ; B-copy of h0+inp[0] +|| ADD $D0,B24,B27 ; B-copy of h0+inp[0] || SWAP4 $D1,$D1 ADDU $D1,B25,$D1:$H1 ; h1+=inp[1] || MVK 3,$THREE @@ -140,12 +140,12 @@ _poly1305_blocks: loop?: MPY32U $H0,$R0,A17:A16 -|| MPY32U B31,$R1,B17:B16 ; MPY32U $H0,$R1,B17:B16 +|| MPY32U B27,$R1,B17:B16 ; MPY32U $H0,$R1,B17:B16 || ADDU $D0,$D1:$H1,B25:B24 ; ADDU $D0,$D1:$H1,$D1:$H1 || ADDU $D2,B28,$D2:$H2 ; h2+=inp[2] || SWAP2 $D3,$D3 MPY32U $H0,$R2,A19:A18 -|| MPY32U B31,$R3,B19:B18 ; MPY32U $H0,$R3,B19:B18 +|| MPY32U B27,$R3,B19:B18 ; MPY32U $H0,$R3,B19:B18 || ADD $D0,$H1,A24 ; A-copy of B24 || SWAP4 $D3,$D3 || [A2] SUB A2,1,A2 ; decrement loop counter @@ -227,8 +227,8 @@ loop?: SHRU $H4,2,B16 ; last reduction step || AND $H4,$THREE,$H4 -|| [A2] BNOP loop? ADDAW B16,B16,B16 ; 5*(h4>>2) +|| [A2] BNOP loop? ADDU B24,B16,B25:B24 ; B24 is h0 || [A2] SWAP2 $D2,$D2 @@ -236,8 +236,9 @@ loop?: || [A2] SWAP4 $D2,$D2 ADDU B28,B27,B29:B28 ; B28 is h2 || [A2] ADDU $D0,B24,$D0:$H0 ; h0+=inp[0] -|| [A2] ADD $D0,B24,B31 ; B-copy of h0+inp[0] - ADD B30,B29,B30 ; B30 is h3 +|| [A2] ADD $D0,B24,B27 ; B-copy of h0+inp[0] + ADDU B30,B29,B31:B30 ; B30 is h3 + ADD B31,$H4,$H4 || [A2] ADDU $D1,B26,$D1:$H1 ; h1+=inp[1] ;;===== branch to loop? is taken here diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl index 46130c9..07da9d1 100755 --- a/crypto/poly1305/asm/poly1305-ppc.pl +++ b/crypto/poly1305/asm/poly1305-ppc.pl @@ -17,11 +17,10 @@ # -m32 -m64 # # Freescale e300 14.8/+80% - -# PPC74x0 7.40/+60% - -# PPC970 7.20/+114% 3.51/+205% -# POWER6 3.96/+250% 2.02/+170% -# POWER7 3.67/+260% 1.87/+100% -# POWER8 - 2.13/+200% +# PPC74x0 7.60/+60% - +# PPC970 7.00/+114% 3.51/+205% +# POWER7 3.75/+260% 1.93/+100% +# POWER8 - 2.03/+200% # # Do we need floating-point implementation for PPC? Results presented # in poly1305_ieee754.c are tricky to compare to, because they are for @@ -212,6 +211,7 @@ $code.=<<___; add $t0,$t0,$t1 addc $h0,$d0,$t0 addze $h1,$d1 + addze $h2,$h2 bdnz Loop @@ -518,6 +518,7 @@ $code.=<<___; addze $h1,$h1 addze $h2,$h2 addze $h3,$h3 + addze $h4,$h4 bdnz Loop diff --git a/crypto/poly1305/asm/poly1305-ppcfp.pl b/crypto/poly1305/asm/poly1305-ppcfp.pl index 061a556..c8636a4 100755 --- a/crypto/poly1305/asm/poly1305-ppcfp.pl +++ b/crypto/poly1305/asm/poly1305-ppcfp.pl @@ -15,8 +15,8 @@ # and improvement coefficients relative to gcc-generated code. # # Freescale e300 9.78/+30% -# PPC74x0 7.08/+50% -# PPC970 6.24/+80% +# PPC74x0 6.92/+50% +# PPC970 6.03/+80% # POWER7 3.50/+30% # POWER8 3.75/+10% diff --git a/crypto/poly1305/asm/poly1305-s390x.pl b/crypto/poly1305/asm/poly1305-s390x.pl index 49b3f79..141ba8d 100755 --- a/crypto/poly1305/asm/poly1305-s390x.pl +++ b/crypto/poly1305/asm/poly1305-s390x.pl @@ -11,7 +11,7 @@ # # June 2015 # -# ~6.4/2.2 cpb on z10/z196+, >2x improvement over compiler-generated +# ~6.6/2.3 cpb on z10/z196+, >2x improvement over compiler-generated # code. For older compiler improvement coefficient is >3x, because # then base 2^64 and base 2^32 implementations are compared. # @@ -138,11 +138,12 @@ poly1305_blocks: ngr $h0,$h2 srlg $t0,$h2,2 algr $h0,$t0 + lghi $t1,3 + ngr $h2,$t1 algr $h0,$d0lo - lghi $t1,3 alcgr $h1,$d1hi # $d1hi is still zero - ngr $h2,$t1 + alcgr $h2,$d1hi # $d1hi is still zero brct$g $len,.Loop diff --git a/crypto/poly1305/asm/poly1305-sparcv9.pl b/crypto/poly1305/asm/poly1305-sparcv9.pl index 5452887..497e270 100755 --- a/crypto/poly1305/asm/poly1305-sparcv9.pl +++ b/crypto/poly1305/asm/poly1305-sparcv9.pl @@ -16,10 +16,10 @@ # # IALU(*) FMA # -# UltraSPARC III 11.9(**) -# SPARC T3 7.85 -# SPARC T4 1.67(***) 6.55 -# SPARC64 X 5.54 3.64 +# UltraSPARC III 12.3(**) +# SPARC T3 7.92 +# SPARC T4 1.70(***) 6.55 +# SPARC64 X 5.60 3.64 # # (*) Comparison to compiler-generated code is really problematic, # because latter's performance varies too much depending on too @@ -251,8 +251,9 @@ poly1305_blocks: addcc $t0,$d0,$h0 addccc %g0,$h1,$h1 addccc %g0,$h2,$h2 + addccc %g0,$h3,$h3 brnz,pt $len,.Loop - addc %g0,$h3,$h3 + addc %g0,$h4,$h4 st $h1,[$ctx+0] ! store hash value st $h0,[$ctx+4] @@ -295,6 +296,7 @@ poly1305_blocks_vis3: neg $shr,$shl srlx $R1,2,$S1 + b .Loop_vis3 add $R1,$S1,$S1 .Loop_vis3: @@ -342,8 +344,9 @@ poly1305_blocks_vis3: add $T1,$T0,$T0 addcc $T0,$D0,$H0 + addxccc %g0,$D1,$H1 brnz,pt $len,.Loop_vis3 - addxc %g0,$D1,$H1 + addxc %g0,$H2,$H2 stx $H0,[$ctx+0] ! store hash value stx $H1,[$ctx+8] diff --git a/crypto/poly1305/asm/poly1305-x86.pl b/crypto/poly1305/asm/poly1305-x86.pl index 01c3cbc..97d0a81 100755 --- a/crypto/poly1305/asm/poly1305-x86.pl +++ b/crypto/poly1305/asm/poly1305-x86.pl @@ -299,6 +299,7 @@ if ($sse2) { &adc ("ebx",0); &adc ("ecx",0); &adc ("esi",0); + &adc ("edi",0); &cmp ("ebp",&wparam(2)); # done yet? &jne (&label("loop")); @@ -1166,11 +1167,12 @@ my $addr = shift; &shr ("edi",2); &lea ("ebp",&DWP(0,"edi","edi",4)); # *5 &mov ("edi",&wparam(1)); # output - add ("eax","ebp"); + &add ("eax","ebp"); &mov ("ebp",&wparam(2)); # key - adc ("ebx",0); - adc ("ecx",0); - adc ("edx",0); + &adc ("ebx",0); + &adc ("ecx",0); + &adc ("edx",0); + &adc ("esi",0); &movd ($D0,"eax"); # offload original hash value &add ("eax",5); # compare to modulus diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/poly1305-x86_64.pl index 8977d56..7d67611 100755 --- a/crypto/poly1305/asm/poly1305-x86_64.pl +++ b/crypto/poly1305/asm/poly1305-x86_64.pl @@ -15,16 +15,16 @@ # measured with rdtsc at fixed clock frequency. # # IALU/gcc-4.8(*) AVX(**) AVX2 -# P4 4.90/+120% - -# Core 2 2.39/+90% - -# Westmere 1.86/+120% - +# P4 4.46/+120% - +# Core 2 2.41/+90% - +# Westmere 1.88/+120% - # Sandy Bridge 1.39/+140% 1.10 -# Haswell 1.10/+175% 1.11 0.65 -# Skylake 1.12/+120% 0.96 0.51 +# Haswell 1.14/+175% 1.11 0.65 +# Skylake 1.13/+120% 0.96 0.51 # Silvermont 2.83/+95% - # VIA Nano 1.82/+150% - # Sledgehammer 1.38/+160% - -# Bulldozer 2.21/+130% 0.97 +# Bulldozer 2.30/+130% 0.97 # # (*) improvement coefficients relative to clang are more modest and # are ~50% on most processors, in both cases we are comparing to @@ -114,6 +114,7 @@ $code.=<<___; add $d3,%rax add %rax,$h0 adc \$0,$h1 + adc \$0,$h2 ___ } @@ -184,8 +185,8 @@ $code.=<<___; .align 32 poly1305_blocks: .Lblocks: - sub \$16,$len # too short? - jc .Lno_data + shr \$4,$len + jz .Lno_data # too short push %rbx push %rbp @@ -220,8 +221,8 @@ ___ &poly1305_iteration(); $code.=<<___; mov $r1,%rax - sub \$16,%r15 # len-=16 - jnc .Loop + dec %r15 # len-=16 + jnz .Loop mov $h0,0($ctx) # store hash value mov $h1,8($ctx) @@ -521,6 +522,7 @@ poly1305_blocks_avx: add $d2,$d1 # =*5 add $d1,$h0 adc \$0,$h1 + adc \$0,$h2 mov $s1,$r1 mov $s1,%rax @@ -1315,6 +1317,7 @@ poly1305_emit_avx: add %rcx,%rax add %rax,%r8 adc \$0,%r9 + adc \$0,%r10 mov %r8,%rax add \$5,%r8 # compare to modulus @@ -1407,6 +1410,7 @@ poly1305_blocks_avx2: add $d2,$d1 # =*5 add $d1,$h0 adc \$0,$h1 + adc \$0,$h2 mov $s1,$r1 mov $s1,%rax diff --git a/crypto/poly1305/poly1305.c b/crypto/poly1305/poly1305.c index b500f2e..6bec8b3 100644 --- a/crypto/poly1305/poly1305.c +++ b/crypto/poly1305/poly1305.c @@ -207,7 +207,17 @@ poly1305_blocks(void *ctx, const unsigned char *inp, size_t len, u32 padbit) c = (h2 >> 2) + (h2 & ~3UL); h2 &= 3; h0 += c; - h1 += (c = CONSTANT_TIME_CARRY(h0,c)); /* doesn't overflow */ + h1 += (c = CONSTANT_TIME_CARRY(h0,c)); + h2 += CONSTANT_TIME_CARRY(h1,c); + /* + * Occasional overflows to 3rd bit of h2 are taken care of + * "naturally". If after this point we end up at the top of + * this loop, then the overflow bit will be accounted for + * in next iteration. If we end up in poly1305_emit, then + * comparison to modulus below will still count as "carry + * into 131st bit", so that properly reduced value will be + * picked in conditional move. + */ inp += POLY1305_BLOCK_SIZE; len -= POLY1305_BLOCK_SIZE; @@ -231,12 +241,12 @@ static void poly1305_emit(void *ctx, unsigned char mac[16], h1 = st->h[1]; h2 = st->h[2]; - /* compute h + -p */ + /* compare to modulus by computing h + -p */ g0 = (u64)(t = (u128)h0 + 5); g1 = (u64)(t = (u128)h1 + (t >> 64)); g2 = h2 + (u64)(t >> 64); - /* if there was carry into 130th bit, h1:h0 = g1:g0 */ + /* if there was carry into 131st bit, h1:h0 = g1:g0 */ mask = 0 - (g2 >> 2); g0 &= mask; g1 &= mask; @@ -361,7 +371,17 @@ poly1305_blocks(void *ctx, const unsigned char *inp, size_t len, u32 padbit) h0 += c; h1 += (c = CONSTANT_TIME_CARRY(h0,c)); h2 += (c = CONSTANT_TIME_CARRY(h1,c)); - h3 += (c = CONSTANT_TIME_CARRY(h2,c)); /* doesn't overflow */ + h3 += (c = CONSTANT_TIME_CARRY(h2,c)); + h4 += CONSTANT_TIME_CARRY(h3,c); + /* + * Occasional overflows to 3rd bit of h4 are taken care of + * "naturally". If after this point we end up at the top of + * this loop, then the overflow bit will be accounted for + * in next iteration. If we end up in poly1305_emit, then + * comparison to modulus below will still count as "carry + * into 131st bit", so that properly reduced value will be + * picked in conditional move. + */ inp += POLY1305_BLOCK_SIZE; len -= POLY1305_BLOCK_SIZE; @@ -389,14 +409,14 @@ static void poly1305_emit(void *ctx, unsigned char mac[16], h3 = st->h[3]; h4 = st->h[4]; - /* compute h + -p */ + /* compare to modulus by computing h + -p */ g0 = (u32)(t = (u64)h0 + 5); g1 = (u32)(t = (u64)h1 + (t >> 32)); g2 = (u32)(t = (u64)h2 + (t >> 32)); g3 = (u32)(t = (u64)h3 + (t >> 32)); g4 = h4 + (u32)(t >> 32); - /* if there was carry into 130th bit, h3:h0 = g3:g0 */ + /* if there was carry into 131st bit, h3:h0 = g3:g0 */ mask = 0 - (g4 >> 2); g0 &= mask; g1 &= mask; @@ -729,6 +749,58 @@ static const struct poly1305_test poly1305_tests[] = { "2637408fe13086ea73f971e3425e2820" }, /* + * test vectors from Hanno B?ck + */ + { + "cccccccccccccccccccccccccccccccccccccccccccccccccc80cccccccccccc" + "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccecccccc" + "ccccccccccccccccccccccccccccccc5cccccccccccccccccccccccccccccccc" + "cccccccccce3cccccccccccccccccccccccccccccccccccccccccccccccccccc" + "ccccccccaccccccccccccccccccccce6cccccccccc000000afcccccccccccccc" + "ccccfffffff50000000000000000000000000000000000000000000000000000" + "00ffffffe7000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000719205a8521d" + "fc", + "7f1b0264000000000000000000000000""0000000000000000cccccccccccccccc", + "8559b876eceed66eb37798c0457baff9" + }, + { + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa0000000000" + "00000000800264", + "e0001600000000000000000000000000""0000aaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "00bd1258978e205444c9aaaa82006fed" + }, + { + "02fc", + "0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c""0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c", + "06120c0c0c0c0c0c0c0c0c0c0c0c0c0c" + }, + { + "7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b" + "7b7b7b7b7b7b7a7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b" + "7b7b5c7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b" + "7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b6e7b007b7b7b7b7b7b7b7b7b" + "7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7a7b7b7b7b7b7b7b7b7b7b7b7b" + "7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b5c7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b" + "7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b7b" + "7b6e7b001300000000b300000000000000000000000000000000000000000000" + "f20000000000000000000000000000000000002000efff000900000000000000" + "0000000000100000000009000000640000000000000000000000001300000000" + "b300000000000000000000000000000000000000000000f20000000000000000" + "000000000000000000002000efff00090000000000000000007a000010000000" + "000900000064000000000000000000000000000000000000000000000000fc", + "00ff0000000000000000000000000000""00000000001e00000000000000007b7b", + "33205bbf9e9f8f7212ab9e2ab9b7e4a5" + }, + { + "7777777777777777777777777777777777777777777777777777777777777777" + "7777777777777777777777777777777777777777777777777777777777777777" + "777777777777777777777777ffffffe9e9acacacacacacacacacacac0000acac" + "ec0100acacac2caca2acacacacacacacacacacac64f2", + "0000007f0000007f0100002000000000""0000cf77777777777777777777777777", + "02ee7c8c546ddeb1a467e4c3981158b9" + }, + /* * test vectors from Andrew Moon */ { /* nacl */ From levitte at openssl.org Mon Apr 4 15:01:43 2016 From: levitte at openssl.org (Richard Levitte) Date: Mon, 04 Apr 2016 15:01:43 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459782103.532636.7189.nullmailer@dev.openssl.org> The branch master has been updated via 6c13488c4e75ef839bc07a3ce428289aef4bd267 (commit) from 4b8736a22e758c371bc2f8b3534dc0c274acf42c (commit) - Log ----------------------------------------------------------------- commit 6c13488c4e75ef839bc07a3ce428289aef4bd267 Author: Richard Levitte Date: Mon Apr 4 16:55:12 2016 +0200 Make sure the rand_byte buffer in padlock engine is cleansed. Submitted by Michael McConville Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: engines/e_padlock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engines/e_padlock.c b/engines/e_padlock.c index 96e7483..f474f50 100644 --- a/engines/e_padlock.c +++ b/engines/e_padlock.c @@ -776,7 +776,7 @@ static int padlock_rand_bytes(unsigned char *output, int count) *output++ = (unsigned char)buf; count--; } - *(volatile unsigned int *)&buf = 0; + OPENSSL_cleanse(&buf, sizeof(buf)); return 1; } From no-reply at appveyor.com Mon Apr 4 15:36:13 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 15:36:13 +0000 Subject: [openssl-commits] Build failed: openssl master.2542 Message-ID: <20160404153611.7825.12705.54B0E74F@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 16:28:01 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 16:28:01 +0000 Subject: [openssl-commits] Build failed: openssl master.2543 Message-ID: <20160404162751.94562.37236.10FA305B@appveyor.com> An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Apr 4 17:31:26 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 17:31:26 +0000 Subject: [openssl-commits] Fixed: FdaSilvaYY/openssl#398 (more-zalloc2 - ab38b56) In-Reply-To: Message-ID: <5702a4edc176f_33f8a71d103b860809f@acd1db2a-604f-4220-b0cd-4cf67df92499.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #398 Status: Fixed Duration: 15 minutes and 56 seconds Commit: ab38b56 (more-zalloc2) Author: FdaSilvaYY Message: Add more zalloc View the changeset: https://github.com/FdaSilvaYY/openssl/compare/75fc8f00e00d...ab38b560ef15 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120673034 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 17:31:50 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 17:31:50 +0000 Subject: [openssl-commits] Build failed: openssl master.2544 Message-ID: <20160404172515.49887.98908.1F7011FD@appveyor.com> An HTML attachment was scrubbed... URL: From rsalz at openssl.org Mon Apr 4 17:45:55 2016 From: rsalz at openssl.org (Rich Salz) Date: Mon, 04 Apr 2016 17:45:55 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1459791955.426930.352.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via af2db04c9979554ada88d969da6332a827a47599 (commit) from 21211ade53f92629250bbea5e37d9179a31d3be2 (commit) - Log ----------------------------------------------------------------- commit af2db04c9979554ada88d969da6332a827a47599 Author: Todd Short Date: Sat Mar 5 08:47:55 2016 -0500 Fix ALPN * Perform ALPN after the SNI callback; the SSL_CTX may change due to that processing * Add flags to indicate that we actually sent ALPN, to properly error out if unexpectedly received. * document ALPN functions * unit tests Backport of commit 817cd0d52f0462039d1fe60462150be7f59d2002 Reviewed-by: Emilia K?sper Reviewed-by: Dr. Stephen Henson ----------------------------------------------------------------------- Summary of changes: CHANGES | 4 + doc/ssl/SSL_CTX_set_alpn_select_cb.pod | 126 +++++++++++++++++++++++ ssl/ssl_cert.c | 2 + ssl/ssl_lib.c | 17 +++- ssl/ssl_locl.h | 4 + ssl/ssltest.c | 181 ++++++++++++++++++++++++++++++--- ssl/t1_lib.c | 88 +++++++++++----- test/testssl | 19 ++++ 8 files changed, 399 insertions(+), 42 deletions(-) create mode 100644 doc/ssl/SSL_CTX_set_alpn_select_cb.pod diff --git a/CHANGES b/CHANGES index 4e118e6..2d73627 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ Changes between 1.0.2g and 1.0.2h [xx XXX xxxx] + *) Modify behavior of ALPN to invoke callback after SNI/servername + callback, such that updates to the SSL_CTX affect ALPN. + [Todd Short] + *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the default. [Kurt Roeckx] diff --git a/doc/ssl/SSL_CTX_set_alpn_select_cb.pod b/doc/ssl/SSL_CTX_set_alpn_select_cb.pod new file mode 100644 index 0000000..80ba8ab --- /dev/null +++ b/doc/ssl/SSL_CTX_set_alpn_select_cb.pod @@ -0,0 +1,126 @@ +=pod + +=head1 NAME + +SSL_CTX_set_alpn_protos, SSL_set_alpn_protos, SSL_CTX_set_alpn_select_cb, +SSL_select_next_proto, SSL_get0_alpn_selected - handle application layer +protocol negotiation (ALPN) + +=head1 SYNOPSIS + + #include + + int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, + unsigned protos_len); + int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, + unsigned protos_len); + void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, + int (*cb) (SSL *ssl, + const unsigned char **out, + unsigned char *outlen, + const unsigned char *in, + unsigned int inlen, + void *arg), void *arg); + int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, + const unsigned char *server, + unsigned int server_len, + const unsigned char *client, + unsigned int client_len) + void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, + unsigned int *len); + +=head1 DESCRIPTION + +SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to +set the list of protocols available to be negotiated. The B must be in +protocol-list format, described below. The length of B is specified in +B. + +SSL_CTX_set_alpn_select_cb() sets the application callback B used by a +server to select which protocol to use for the incoming connection. When B +is NULL, ALPN is not used. The B value is a pointer which is passed to +the application callback. + +B is the application defined callback. The B, B parameters are a +vector in protocol-list format. The value of the B, B vector +should be set to the value of a single protocol selected from the B, +B vector. The B parameter is the pointer set via +SSL_CTX_set_alpn_select_cb(). + +SSL_select_next_proto() is a helper function used to select protocols. It +implements the standard protocol selection. It is expected that this function +is called from the application callback B. The protocol data in B, +B and B, B must be in the protocol-list format +described below. The first item in the B, B list that +matches an item in the B, B list is selected, and returned +in B, B. The B value will point into either B or +B, so it should be copied immediately. If no match is found, the first +item in B, B is returned in B, B. This +function can also be used in the NPN callback. + +SSL_get0_alpn_selected() returns a pointer to the selected protocol in B +with length B. It is not NUL-terminated. B is set to NULL and B +is set to 0 if no protocol has been selected. B must not be freed. + +=head1 NOTES + +The protocol-lists must be in wire-format, which is defined as a vector of +non-empty, 8-bit length-prefixed, byte strings. The length-prefix byte is not +included in the length. Each string is limited to 255 bytes. A byte-string +length of 0 is invalid. A truncated byte-string is invalid. The length of the +vector is not in the vector itself, but in a separate variable. + +Example: + + unsigned char vector[] = { + 6, 's', 'p', 'd', 'y', '/', '1', + 8, 'h', 't', 't', 'p', '/', '1', '.', '1' + }; + unsigned int length = sizeof(vector); + +The ALPN callback is executed after the servername callback; as that servername +callback may update the SSL_CTX, and subsequently, the ALPN callback. + +If there is no ALPN proposed in the ClientHello, the ALPN callback is not +invoked. + +=head1 RETURN VALUES + +SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() return 0 on success, and +non-0 on failure. WARNING: these functions reverse the return value convention. + +SSL_select_next_proto() returns one of the following: + +=over 4 + +=item OPENSSL_NPN_NEGOTIATED + +A match was found and is returned in B, B. + +=item OPENSSL_NPN_NO_OVERLAP + +No match was found. The first item in B, B is returned in +B, B. + +=back + +The ALPN select callback B, must return one of the following: + +=over 4 + +=item SSL_TLSEXT_ERR_OK + +ALPN protocol selected. + +=item SSL_TLSEXT_ERR_NOACK + +ALPN protocol not selected. + +=back + +=head1 SEE ALSO + +L, L, +L + +=cut diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index a73f866..acc5361 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -504,6 +504,8 @@ void ssl_cert_free(CERT *c) #ifndef OPENSSL_NO_TLSEXT custom_exts_free(&c->cli_ext); custom_exts_free(&c->srv_ext); + if (c->alpn_proposed) + OPENSSL_free(c->alpn_proposed); #endif OPENSSL_free(c); } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index f1279bb..fd94325 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -244,7 +244,16 @@ int SSL_clear(SSL *s) ssl_clear_hash_ctx(&s->write_hash); s->first_packet = 0; - +#ifndef OPENSSL_NO_TLSEXT + if (s->cert != NULL) { + if (s->cert->alpn_proposed) { + OPENSSL_free(s->cert->alpn_proposed); + s->cert->alpn_proposed = NULL; + } + s->cert->alpn_proposed_len = 0; + s->cert->alpn_sent = 0; + } +#endif #if 1 /* * Check to see if we were changed into a different method, if so, revert @@ -3174,6 +3183,12 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) ssl->cert->ciphers_rawlen = ocert->ciphers_rawlen; ocert->ciphers_raw = NULL; } +#ifndef OPENSSL_NO_TLSEXT + ssl->cert->alpn_proposed = ocert->alpn_proposed; + ssl->cert->alpn_proposed_len = ocert->alpn_proposed_len; + ocert->alpn_proposed = NULL; + ssl->cert->alpn_sent = ocert->alpn_sent; +#endif ssl_cert_free(ocert); } diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 54c191a..747e718 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -688,6 +688,10 @@ typedef struct cert_st { custom_ext_methods cli_ext; custom_ext_methods srv_ext; int references; /* >1 only if SSL_copy_session_id is used */ + /* non-optimal, but here due to compatibility */ + unsigned char *alpn_proposed; /* server */ + unsigned int alpn_proposed_len; + int alpn_sent; /* client */ } CERT; typedef struct sess_cert_st { diff --git a/ssl/ssltest.c b/ssl/ssltest.c index aaf6c6b..1db84ad 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -217,6 +217,9 @@ # define TEST_CLIENT_CERT "../apps/client.pem" #endif +static SSL_CTX *s_ctx = NULL; +static SSL_CTX *s_ctx2 = NULL; + /* * There is really no standard for this, so let's assign some tentative * numbers. In any case, these numbers are only for this test @@ -300,9 +303,51 @@ static BIO *bio_err = NULL; static BIO *bio_stdout = NULL; static const char *alpn_client; -static const char *alpn_server; +static char *alpn_server; +static char *alpn_server2; static const char *alpn_expected; static unsigned char *alpn_selected; +static const char *sn_client; +static const char *sn_server1; +static const char *sn_server2; +static int sn_expect = 0; + +static int servername_cb(SSL *s, int *ad, void *arg) +{ + const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); + if (sn_server2 == NULL) { + BIO_printf(bio_stdout, "Servername 2 is NULL\n"); + return SSL_TLSEXT_ERR_NOACK; + } + + if (servername != NULL) { + if (s_ctx2 != NULL && sn_server2 != NULL && + !strcasecmp(servername, sn_server2)) { + BIO_printf(bio_stdout, "Switching server context.\n"); + SSL_set_SSL_CTX(s, s_ctx2); + } + } + return SSL_TLSEXT_ERR_OK; +} +static int verify_servername(SSL *client, SSL *server) +{ + /* just need to see if sn_context is what we expect */ + SSL_CTX* ctx = SSL_get_SSL_CTX(server); + if (sn_expect == 0) + return 0; + if (sn_expect == 1 && ctx == s_ctx) + return 0; + if (sn_expect == 2 && ctx == s_ctx2) + return 0; + BIO_printf(bio_stdout, "Servername: expected context %d\n", sn_expect); + if (ctx == s_ctx2) + BIO_printf(bio_stdout, "Servername: context is 2\n"); + else if (ctx == s_ctx) + BIO_printf(bio_stdout, "Servername: context is 1\n"); + else + BIO_printf(bio_stdout, "Servername: context is unknown\n"); + return -1; +} /*- * next_protos_parse parses a comma separated list of strings into a string @@ -350,11 +395,12 @@ static int cb_server_alpn(SSL *s, const unsigned char **out, { unsigned char *protos; unsigned short protos_len; + char* alpn_str = arg; - protos = next_protos_parse(&protos_len, alpn_server); + protos = next_protos_parse(&protos_len, alpn_str); if (protos == NULL) { fprintf(stderr, "failed to parser ALPN server protocol string: %s\n", - alpn_server); + alpn_str); abort(); } @@ -417,8 +463,17 @@ static int verify_alpn(SSL *client, SSL *server) BIO_printf(bio_stdout, "', server: '"); BIO_write(bio_stdout, server_proto, server_proto_len); BIO_printf(bio_stdout, "'\n"); - BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: '%s'\n", - alpn_client, alpn_server); + BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: ", + alpn_client); + if (SSL_get_SSL_CTX(server) == s_ctx2) { + BIO_printf(bio_stdout, "'%s'\n", + alpn_server2); + } else if (SSL_get_SSL_CTX(server) == s_ctx){ + BIO_printf(bio_stdout, "'%s'\n", + alpn_server); + } else { + BIO_printf(bio_stdout, "unknown\n"); + } return -1; } @@ -756,8 +811,15 @@ static void sv_usage(void) " -custom_ext - try various custom extension callbacks\n"); fprintf(stderr, " -alpn_client - have client side offer ALPN\n"); fprintf(stderr, " -alpn_server - have server side offer ALPN\n"); + fprintf(stderr, " -alpn_server1 - alias for -alpn_server\n"); + fprintf(stderr, " -alpn_server2 - have server side context 2 offer ALPN\n"); fprintf(stderr, " -alpn_expected - the ALPN protocol that should be negotiated\n"); + fprintf(stderr, " -sn_client - have client request this servername\n"); + fprintf(stderr, " -sn_server1 - have server context 1 respond to this servername\n"); + fprintf(stderr, " -sn_server2 - have server context 2 respond to this servername\n"); + fprintf(stderr, " -sn_expect1 - expected server 1\n"); + fprintf(stderr, " -sn_expect2 - expected server 2\n"); } static void print_details(SSL *c_ssl, const char *prefix) @@ -896,7 +958,6 @@ int main(int argc, char *argv[]) #ifndef OPENSSL_NO_ECDH char *named_curve = NULL; #endif - SSL_CTX *s_ctx = NULL; SSL_CTX *c_ctx = NULL; const SSL_METHOD *meth = NULL; SSL *c_ssl, *s_ssl; @@ -1151,14 +1212,35 @@ int main(int argc, char *argv[]) if (--argc < 1) goto bad; alpn_client = *(++argv); - } else if (strcmp(*argv, "-alpn_server") == 0) { + } else if (strcmp(*argv, "-alpn_server") == 0 || + strcmp(*argv, "-alpn_server1") == 0) { if (--argc < 1) goto bad; alpn_server = *(++argv); + } else if (strcmp(*argv, "-alpn_server2") == 0) { + if (--argc < 1) + goto bad; + alpn_server2 = *(++argv); } else if (strcmp(*argv, "-alpn_expected") == 0) { if (--argc < 1) goto bad; alpn_expected = *(++argv); + } else if (strcmp(*argv, "-sn_client") == 0) { + if (--argc < 1) + goto bad; + sn_client = *(++argv); + } else if (strcmp(*argv, "-sn_server1") == 0) { + if (--argc < 1) + goto bad; + sn_server1 = *(++argv); + } else if (strcmp(*argv, "-sn_server2") == 0) { + if (--argc < 1) + goto bad; + sn_server2 = *(++argv); + } else if (strcmp(*argv, "-sn_expect1") == 0) { + sn_expect = 1; + } else if (strcmp(*argv, "-sn_expect2") == 0) { + sn_expect = 2; } else { fprintf(stderr, "unknown option %s\n", *argv); badop = 1; @@ -1304,7 +1386,8 @@ int main(int argc, char *argv[]) c_ctx = SSL_CTX_new(meth); s_ctx = SSL_CTX_new(meth); - if ((c_ctx == NULL) || (s_ctx == NULL)) { + s_ctx2 = SSL_CTX_new(meth); /* no SSL_CTX_dup! */ + if ((c_ctx == NULL) || (s_ctx == NULL) || (s_ctx2 == NULL)) { ERR_print_errors(bio_err); goto end; } @@ -1312,7 +1395,9 @@ int main(int argc, char *argv[]) if (cipher != NULL) { SSL_CTX_set_cipher_list(c_ctx, cipher); SSL_CTX_set_cipher_list(s_ctx, cipher); + SSL_CTX_set_cipher_list(s_ctx2, cipher); } + #ifndef OPENSSL_NO_DH if (!no_dhe) { if (dhe1024dsa) { @@ -1320,12 +1405,14 @@ int main(int argc, char *argv[]) * use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */ SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); + SSL_CTX_set_options(s_ctx2, SSL_OP_SINGLE_DH_USE); dh = get_dh1024dsa(); } else if (dhe512) dh = get_dh512(); else dh = get_dh1024(); SSL_CTX_set_tmp_dh(s_ctx, dh); + SSL_CTX_set_tmp_dh(s_ctx2, dh); DH_free(dh); } #else @@ -1353,7 +1440,9 @@ int main(int argc, char *argv[]) } SSL_CTX_set_tmp_ecdh(s_ctx, ecdh); + SSL_CTX_set_tmp_ecdh(s_ctx2, ecdh); SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE); + SSL_CTX_set_options(s_ctx2, SSL_OP_SINGLE_ECDH_USE); EC_KEY_free(ecdh); } #else @@ -1362,15 +1451,18 @@ int main(int argc, char *argv[]) #ifndef OPENSSL_NO_RSA SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb); + SSL_CTX_set_tmp_rsa_callback(s_ctx2, tmp_rsa_cb); #endif #ifdef TLSEXT_TYPE_opaque_prf_input SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb); SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb); + SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx2, opaque_prf_input_cb); /* or &co2 or NULL */ SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &so2 or NULL */ SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); + SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx2, &so1); #endif if (!SSL_CTX_use_certificate_file(s_ctx, server_cert, SSL_FILETYPE_PEM)) { @@ -1383,6 +1475,16 @@ int main(int argc, char *argv[]) goto end; } + if (!SSL_CTX_use_certificate_file(s_ctx2, server_cert, SSL_FILETYPE_PEM)) { + ERR_print_errors(bio_err); + } else if (!SSL_CTX_use_PrivateKey_file(s_ctx2, + (server_key ? server_key : + server_cert), + SSL_FILETYPE_PEM)) { + ERR_print_errors(bio_err); + goto end; + } + if (client_auth) { SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(c_ctx, @@ -1392,6 +1494,8 @@ int main(int argc, char *argv[]) if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) || (!SSL_CTX_set_default_verify_paths(s_ctx)) || + (!SSL_CTX_load_verify_locations(s_ctx2, CAfile, CApath)) || + (!SSL_CTX_set_default_verify_paths(s_ctx2)) || (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) || (!SSL_CTX_set_default_verify_paths(c_ctx))) { /* fprintf(stderr,"SSL_load_verify_locations\n"); */ @@ -1406,6 +1510,11 @@ int main(int argc, char *argv[]) verify_callback); SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg); + SSL_CTX_set_verify(s_ctx2, + SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, + verify_callback); + SSL_CTX_set_cert_verify_callback(s_ctx2, app_verify_callback, + &app_verify_arg); } if (server_auth) { BIO_printf(bio_err, "server authentication\n"); @@ -1418,6 +1527,8 @@ int main(int argc, char *argv[]) int session_id_context = 0; SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context); + SSL_CTX_set_session_id_context(s_ctx2, (void *)&session_id_context, + sizeof session_id_context); } /* Use PSK only if PSK key is given */ @@ -1436,6 +1547,7 @@ int main(int argc, char *argv[]) #ifndef OPENSSL_NO_PSK SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback); SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback); + SSL_CTX_set_psk_server_callback(s_ctx2, psk_server_callback); if (debug) BIO_printf(bio_err, "setting PSK identity hint to s_ctx\n"); if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint")) { @@ -1443,6 +1555,11 @@ int main(int argc, char *argv[]) ERR_print_errors(bio_err); goto end; } + if (!SSL_CTX_use_psk_identity_hint(s_ctx2, "ctx server identity_hint")) { + BIO_printf(bio_err, "error setting PSK identity hint to s_ctx2\n"); + ERR_print_errors(bio_err); + goto end; + } #endif } #ifndef OPENSSL_NO_SRP @@ -1461,8 +1578,11 @@ int main(int argc, char *argv[]) if (srp_server_arg.expected_user != NULL) { SSL_CTX_set_verify(s_ctx, SSL_VERIFY_NONE, verify_callback); + SSL_CTX_set_verify(s_ctx2, SSL_VERIFY_NONE, verify_callback); SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg); + SSL_CTX_set_srp_cb_arg(s_ctx2, &srp_server_arg); SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb); + SSL_CTX_set_srp_username_callback(s_ctx2, ssl_srp_server_param_cb); } #endif @@ -1475,11 +1595,16 @@ int main(int argc, char *argv[]) NULL, NULL, NULL, serverinfo_cli_parse_cb, NULL); - if (serverinfo_file) + if (serverinfo_file) { if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file)) { BIO_printf(bio_err, "missing serverinfo file\n"); goto end; } + if (!SSL_CTX_use_serverinfo_file(s_ctx2, serverinfo_file)) { + BIO_printf(bio_err, "missing serverinfo file\n"); + goto end; + } + } if (custom_ext) { SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0, @@ -1515,10 +1640,29 @@ int main(int argc, char *argv[]) custom_ext_3_srv_add_cb, NULL, NULL, custom_ext_3_srv_parse_cb, NULL); + + SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_0, + custom_ext_0_srv_add_cb, + NULL, NULL, + custom_ext_0_srv_parse_cb, NULL); + SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_1, + custom_ext_1_srv_add_cb, + NULL, NULL, + custom_ext_1_srv_parse_cb, NULL); + SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_2, + custom_ext_2_srv_add_cb, + NULL, NULL, + custom_ext_2_srv_parse_cb, NULL); + SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_3, + custom_ext_3_srv_add_cb, + NULL, NULL, + custom_ext_3_srv_parse_cb, NULL); } if (alpn_server) - SSL_CTX_set_alpn_select_cb(s_ctx, cb_server_alpn, NULL); + SSL_CTX_set_alpn_select_cb(s_ctx, cb_server_alpn, alpn_server); + if (alpn_server2) + SSL_CTX_set_alpn_select_cb(s_ctx2, cb_server_alpn, alpn_server2); if (alpn_client) { unsigned short alpn_len; @@ -1532,9 +1676,15 @@ int main(int argc, char *argv[]) OPENSSL_free(alpn); } + if (sn_server1 || sn_server2) + SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb); + c_ssl = SSL_new(c_ctx); s_ssl = SSL_new(s_ctx); + if (sn_client) + SSL_set_tlsext_host_name(c_ssl, sn_client); + #ifndef OPENSSL_NO_KRB5 if (c_ssl && c_ssl->kssl_ctx) { char localhost[MAXHOSTNAMELEN + 2]; @@ -1588,12 +1738,19 @@ int main(int argc, char *argv[]) #endif } + if (verify_alpn(c_ssl, s_ssl) < 0) + ret = 1; + if (verify_servername(c_ssl, s_ssl) < 0) + ret = 1; + SSL_free(s_ssl); SSL_free(c_ssl); end: if (s_ctx != NULL) SSL_CTX_free(s_ctx); + if (s_ctx2 != NULL) + SSL_CTX_free(s_ctx2); if (c_ctx != NULL) SSL_CTX_free(c_ctx); @@ -1961,10 +2118,6 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, ret = 1; goto err; } - if (verify_alpn(c_ssl, s_ssl) < 0) { - ret = 1; - goto err; - } if (custom_ext_error) { ret = 1; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 0bf0ea5..dd5bd00 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1539,6 +1539,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, s2n(s->alpn_client_proto_list_len, ret); memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len); ret += s->alpn_client_proto_list_len; + s->cert->alpn_sent = 1; } # ifndef OPENSSL_NO_SRTP if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { @@ -1906,7 +1907,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, # endif /* !OPENSSL_NO_EC */ /* - * tls1_alpn_handle_client_hello is called to process the ALPN extension in a + * tls1_alpn_handle_client_hello is called to save the ALPN extension in a * ClientHello. data: the contents of the extension, not including the type * and length. data_len: the number of bytes in |data| al: a pointer to the * alert value to send in the event of a non-zero return. returns: 0 on @@ -1917,12 +1918,6 @@ static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, { unsigned i; unsigned proto_len; - const unsigned char *selected; - unsigned char selected_len; - int r; - - if (s->ctx->alpn_select_cb == NULL) - return 0; if (data_len < 2) goto parse_error; @@ -1953,19 +1948,15 @@ static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, i += proto_len; } - r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len, - s->ctx->alpn_select_cb_arg); - if (r == SSL_TLSEXT_ERR_OK) { - if (s->s3->alpn_selected) - OPENSSL_free(s->s3->alpn_selected); - s->s3->alpn_selected = OPENSSL_malloc(selected_len); - if (!s->s3->alpn_selected) { - *al = SSL_AD_INTERNAL_ERROR; - return -1; - } - memcpy(s->s3->alpn_selected, selected, selected_len); - s->s3->alpn_selected_len = selected_len; + if (s->cert->alpn_proposed != NULL) + OPENSSL_free(s->cert->alpn_proposed); + s->cert->alpn_proposed = OPENSSL_malloc(data_len); + if (s->cert->alpn_proposed == NULL) { + *al = SSL_AD_INTERNAL_ERROR; + return -1; } + memcpy(s->cert->alpn_proposed, data, data_len); + s->cert->alpn_proposed_len = data_len; return 0; parse_error: @@ -1973,6 +1964,43 @@ static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data, return -1; } +/* + * Process the ALPN extension in a ClientHello. + * ret: a pointer to the TLSEXT return value: SSL_TLSEXT_ERR_* + * al: a pointer to the alert value to send in the event of a failure. + * returns 1 on success, 0 on failure: al/ret set only on failure + */ +static int tls1_alpn_handle_client_hello_late(SSL *s, int *ret, int *al) +{ + const unsigned char *selected = NULL; + unsigned char selected_len = 0; + + if (s->ctx->alpn_select_cb != NULL && s->cert->alpn_proposed != NULL) { + int r = s->ctx->alpn_select_cb(s, &selected, &selected_len, + s->cert->alpn_proposed, + s->cert->alpn_proposed_len, + s->ctx->alpn_select_cb_arg); + + if (r == SSL_TLSEXT_ERR_OK) { + OPENSSL_free(s->s3->alpn_selected); + s->s3->alpn_selected = OPENSSL_malloc(selected_len); + if (s->s3->alpn_selected == NULL) { + *al = SSL_AD_INTERNAL_ERROR; + *ret = SSL_TLSEXT_ERR_ALERT_FATAL; + return 0; + } + memcpy(s->s3->alpn_selected, selected, selected_len); + s->s3->alpn_selected_len = selected_len; +# ifndef OPENSSL_NO_NEXTPROTONEG + /* ALPN takes precedence over NPN. */ + s->s3->next_proto_neg_seen = 0; +# endif + } + } + + return 1; +} + static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *limit, int *al) { @@ -1992,6 +2020,12 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, OPENSSL_free(s->s3->alpn_selected); s->s3->alpn_selected = NULL; } + s->s3->alpn_selected_len = 0; + if (s->cert->alpn_proposed) { + OPENSSL_free(s->cert->alpn_proposed); + s->cert->alpn_proposed = NULL; + } + s->cert->alpn_proposed_len = 0; # ifndef OPENSSL_NO_HEARTBEATS s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | SSL_TLSEXT_HB_DONT_SEND_REQUESTS); @@ -2359,8 +2393,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, # endif # ifndef OPENSSL_NO_NEXTPROTONEG else if (type == TLSEXT_TYPE_next_proto_neg && - s->s3->tmp.finish_md_len == 0 && - s->s3->alpn_selected == NULL) { + s->s3->tmp.finish_md_len == 0) { /*- * We shouldn't accept this extension on a * renegotiation. @@ -2383,13 +2416,9 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, # endif else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && - s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) { + s->s3->tmp.finish_md_len == 0) { if (tls1_alpn_handle_client_hello(s, data, size, al) != 0) return 0; -# ifndef OPENSSL_NO_NEXTPROTONEG - /* ALPN takes precedence over NPN. */ - s->s3->next_proto_neg_seen = 0; -# endif } /* session ticket processed earlier */ @@ -2698,7 +2727,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned len; /* We must have requested it. */ - if (s->alpn_client_proto_list == NULL) { + if (!s->cert->alpn_sent) { *al = TLS1_AD_UNSUPPORTED_EXTENSION; return 0; } @@ -2863,6 +2892,7 @@ int ssl_prepare_clienthello_tlsext(SSL *s) } # endif + s->cert->alpn_sent = 0; return 1; } @@ -3066,6 +3096,10 @@ int ssl_check_clienthello_tlsext_late(SSL *s) } else s->tlsext_status_expected = 0; + if (!tls1_alpn_handle_client_hello_late(s, &ret, &al)) { + goto err; + } + err: switch (ret) { case SSL_TLSEXT_ERR_ALERT_FATAL: diff --git a/test/testssl b/test/testssl index 747e4ba..a6f9fa7 100644 --- a/test/testssl +++ b/test/testssl @@ -236,6 +236,17 @@ $ssltest -bio_pair -tls1 -serverinfo_file $serverinfo -serverinfo_tack || exit 1 $ssltest -bio_pair -tls1 -serverinfo_file $serverinfo -serverinfo_sct -serverinfo_tack || exit 1 $ssltest -bio_pair -tls1 -custom_ext -serverinfo_file $serverinfo -serverinfo_sct -serverinfo_tack || exit 1 +############################################################################# +# SNI tests + +$ssltest -bio_pair -sn_client foo || exit 1 +$ssltest -bio_pair -sn_server1 foo || exit 1 +$ssltest -bio_pair -sn_client foo -sn_server1 foo -sn_expect1 || exit 1 +$ssltest -bio_pair -sn_client foo -sn_server1 bar -sn_expect1 || exit 1 +$ssltest -bio_pair -sn_client foo -sn_server1 foo -sn_server2 bar -sn_expect1 || exit 1 +$ssltest -bio_pair -sn_client bar -sn_server1 foo -sn_server2 bar -sn_expect2 || exit 1 +# Negative test - make sure it doesn't crash, and doesn't switch contexts +$ssltest -bio_pair -sn_client foobar -sn_server1 foo -sn_server2 bar -sn_expect1 || exit 1 ############################################################################# # ALPN tests @@ -249,6 +260,14 @@ $ssltest -bio_pair -tls1 -alpn_client bar,foo -alpn_server bar,foo -alpn_expecte $ssltest -bio_pair -tls1 -alpn_client foo,bar -alpn_server bar,foo -alpn_expected bar || exit 1 $ssltest -bio_pair -tls1 -alpn_client baz -alpn_server bar,foo || exit 1 + +############################################################################# +# ALPN + SNI + +$ssltest -bio_pair -alpn_client foo,bar -sn_client alice -alpn_server1 foo,123 -sn_server1 alice -alpn_server2 bar,456 -sn_server2 bob -alpn_expected foo || exit 1 +$ssltest -bio_pair -alpn_client foo,bar -sn_client bob -alpn_server1 foo,123 -sn_server1 alice -alpn_server2 bar,456 -sn_server2 bob -alpn_expected bar || exit 1 +$ssltest -bio_pair -alpn_client foo,bar -sn_client bob -sn_server1 alice -alpn_server2 bar,456 -sn_server2 bob -alpn_expected bar || exit 1 + if ../util/shlib_wrap.sh ../apps/openssl no-srp; then echo skipping SRP tests else From builds at travis-ci.org Mon Apr 4 17:53:52 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 17:53:52 +0000 Subject: [openssl-commits] Fixed: FdaSilvaYY/openssl#399 (crypto_mem_leaks - 3b13bd7) In-Reply-To: Message-ID: <5702aa3066c8d_33fd0da0bcae41185033@dbfa9a30-2cac-424c-81ea-3cb1521c4ab5.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #399 Status: Fixed Duration: 15 minutes and 23 seconds Commit: 3b13bd7 (crypto_mem_leaks) Author: FdaSilvaYY Message: Add missing mem leak test activation and checks View the changeset: https://github.com/FdaSilvaYY/openssl/compare/4be2ee8f67b3...3b13bd73f020 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120673302 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 18:20:21 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 18:20:21 +0000 Subject: [openssl-commits] Build failed: openssl master.2545 Message-ID: <20160404182020.13853.98839.0CC28666@appveyor.com> An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Apr 4 18:20:54 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 18:20:54 +0000 Subject: [openssl-commits] Fixed: FdaSilvaYY/openssl#400 (spelling2 - 24d09a4) In-Reply-To: Message-ID: <5702b0867d3b_33fd0da0b7544122622e@dbfa9a30-2cac-424c-81ea-3cb1521c4ab5.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #400 Status: Fixed Duration: 19 minutes and 11 seconds Commit: 24d09a4 (spelling2) Author: FdaSilvaYY Message: various spelling fixes View the changeset: https://github.com/FdaSilvaYY/openssl/compare/38fa327a6e57...24d09a4ac0f5 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120673543 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at openssl.org Mon Apr 4 19:05:29 2016 From: rsalz at openssl.org (Rich Salz) Date: Mon, 04 Apr 2016 19:05:29 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459796729.437821.24341.nullmailer@dev.openssl.org> The branch master has been updated via f6c006ea76304a52cf9212695525e1bcc6cf6c22 (commit) via c5137473bdc7bcf7c43b4bd5d28827f8ddd70490 (commit) via 97458daade31c32ea8816b7e065e3bda3be588fa (commit) via 0517538d1a39bc5eb664928a6c40b4a0afad01da (commit) from 6c13488c4e75ef839bc07a3ce428289aef4bd267 (commit) - Log ----------------------------------------------------------------- commit f6c006ea76304a52cf9212695525e1bcc6cf6c22 Author: FdaSilvaYY Date: Sun Apr 3 23:37:58 2016 +0200 Fix a possible leak on NETSCAPE_SPKI_verify failure. Reviewed-by: Stephen Henson Reviewed-by: Rich Salz commit c5137473bdc7bcf7c43b4bd5d28827f8ddd70490 Author: FdaSilvaYY Date: Sun Apr 3 23:37:32 2016 +0200 Use X509_REQ_get0_pubkey Reviewed-by: Stephen Henson Reviewed-by: Rich Salz commit 97458daade31c32ea8816b7e065e3bda3be588fa Author: FdaSilvaYY Date: Sun Apr 3 23:24:51 2016 +0200 Add X509_REQ_get0_pubkey method Reviewed-by: Stephen Henson Reviewed-by: Rich Salz commit 0517538d1a39bc5eb664928a6c40b4a0afad01da Author: FdaSilvaYY Date: Thu Mar 17 00:15:48 2016 +0100 Fix two leaks in X509_REQ_to_X509 Issue #182 Reviewed-by: Stephen Henson Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: apps/ca.c | 6 +++--- apps/req.c | 19 +++++++------------ apps/x509.c | 6 ++---- crypto/x509/x509_r2x.c | 11 +++++++---- crypto/x509/x509_req.c | 7 +++++++ doc/crypto/X509_get_pubkey.pod | 12 +++++++----- include/openssl/x509.h | 1 + util/libcrypto.num | 1 + 8 files changed, 35 insertions(+), 28 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 3062d7e..cc74c5b 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1351,12 +1351,12 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, ok = 0; goto end; } - if ((pktmp = X509_REQ_get_pubkey(req)) == NULL) { + if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) { BIO_printf(bio_err, "error unpacking public key\n"); goto end; } i = X509_REQ_verify(req, pktmp); - EVP_PKEY_free(pktmp); + pktmp = NULL; if (i < 0) { ok = 0; BIO_printf(bio_err, "Signature verification problems....\n"); @@ -1790,7 +1790,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, pktmp = X509_REQ_get_pubkey(req); i = X509_set_pubkey(ret, pktmp); - EVP_PKEY_free(pktmp); if (!i) goto end; @@ -2072,6 +2071,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, j = NETSCAPE_SPKI_verify(spki, pktmp); if (j <= 0) { + EVP_PKEY_free(pktmp); BIO_printf(bio_err, "signature verification failed on SPKAC public key\n"); goto end; diff --git a/apps/req.c b/apps/req.c index edf998b..561cccc 100644 --- a/apps/req.c +++ b/apps/req.c @@ -375,6 +375,7 @@ int req_main(int argc, char **argv) if (!nmflag_set) nmflag = XN_FLAG_ONELINE; + /* TODO: simplify this as pkey is still always NULL here */ private = newreq && (pkey == NULL) ? 1 : 0; if (!app_passwd(passargin, passargout, &passin, &passout)) { @@ -666,10 +667,9 @@ int req_main(int argc, char **argv) if (!X509_set_subject_name (x509ss, X509_REQ_get_subject_name(req))) goto end; - tmppkey = X509_REQ_get_pubkey(req); + tmppkey = X509_REQ_get0_pubkey(req); if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey)) goto end; - EVP_PKEY_free(tmppkey); /* Set up V3 context struct */ @@ -739,20 +739,15 @@ int req_main(int argc, char **argv) } if (verify && !x509) { - int tmp = 0; + EVP_PKEY *pubkey = pkey; - if (pkey == NULL) { - pkey = X509_REQ_get_pubkey(req); - tmp = 1; - if (pkey == NULL) + if (pubkey == NULL) { + pubkey = X509_REQ_get0_pubkey(req); + if (pubkey == NULL) goto end; } - i = X509_REQ_verify(req, pkey); - if (tmp) { - EVP_PKEY_free(pkey); - pkey = NULL; - } + i = X509_REQ_verify(req, pubkey); if (i < 0) { goto end; diff --git a/apps/x509.c b/apps/x509.c index 00c0d97..bc56233 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -562,12 +562,11 @@ int x509_main(int argc, char **argv) goto end; } - if ((pkey = X509_REQ_get_pubkey(req)) == NULL) { + if ((pkey = X509_REQ_get0_pubkey(req)) == NULL) { BIO_printf(bio_err, "error unpacking public key\n"); goto end; } i = X509_REQ_verify(req, pkey); - EVP_PKEY_free(pkey); if (i < 0) { BIO_printf(bio_err, "Signature verification error\n"); ERR_print_errors(bio_err); @@ -607,9 +606,8 @@ int x509_main(int argc, char **argv) if (fkey) X509_set_pubkey(x, fkey); else { - pkey = X509_REQ_get_pubkey(req); + pkey = X509_REQ_get0_pubkey(req); X509_set_pubkey(x, pkey); - EVP_PKEY_free(pkey); } } else x = load_cert(infile, informat, "Certificate"); diff --git a/crypto/x509/x509_r2x.c b/crypto/x509/x509_r2x.c index a6c5941..d082636 100644 --- a/crypto/x509/x509_r2x.c +++ b/crypto/x509/x509_r2x.c @@ -70,10 +70,11 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) X509 *ret = NULL; X509_CINF *xi = NULL; X509_NAME *xn; + EVP_PKEY *pubkey = NULL; if ((ret = X509_new()) == NULL) { X509err(X509_F_X509_REQ_TO_X509, ERR_R_MALLOC_FAILURE); - goto err; + return NULL; } /* duplicate the request */ @@ -89,9 +90,9 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) } xn = X509_REQ_get_subject_name(r); - if (X509_set_subject_name(ret, X509_NAME_dup(xn)) == 0) + if (X509_set_subject_name(ret, xn) == 0) goto err; - if (X509_set_issuer_name(ret, X509_NAME_dup(xn)) == 0) + if (X509_set_issuer_name(ret, xn) == 0) goto err; if (X509_gmtime_adj(xi->validity.notBefore, 0) == NULL) @@ -100,7 +101,9 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) NULL) goto err; - X509_set_pubkey(ret, X509_REQ_get_pubkey(r)); + pubkey = X509_REQ_get0_pubkey(r); + if (pubkey == NULL || !X509_set_pubkey(ret, pubkey)) + goto err; if (!X509_sign(ret, pkey, EVP_md5())) goto err; diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c index c67f609..2b2cbce 100644 --- a/crypto/x509/x509_req.c +++ b/crypto/x509/x509_req.c @@ -115,6 +115,13 @@ EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req) return (X509_PUBKEY_get(req->req_info.pubkey)); } +EVP_PKEY *X509_REQ_get0_pubkey(X509_REQ *req) +{ + if (req == NULL) + return NULL; + return (X509_PUBKEY_get0(req->req_info.pubkey)); +} + X509_PUBKEY *X509_REQ_get_X509_PUBKEY(X509_REQ *req) { return req->req_info.pubkey; diff --git a/doc/crypto/X509_get_pubkey.pod b/doc/crypto/X509_get_pubkey.pod index 2740f98..c2fb5c0 100644 --- a/doc/crypto/X509_get_pubkey.pod +++ b/doc/crypto/X509_get_pubkey.pod @@ -3,8 +3,9 @@ =head1 NAME X509_get_pubkey, X509_get0_pubkey, X509_set_pubkey, X509_get_X509_PUBKEY, -X509_REQ_get_pubkey, X509_REQ_set_pubkey, X509_REQ_get_X509_PUBKEY - get or -set certificate or certificate request public key. +X509_REQ_get_pubkey, X509_REQ_get0_pubkey, X509_REQ_set_pubkey, +X509_REQ_get_X509_PUBKEY - get or set certificate or certificate request +public key. =head1 SYNOPSIS @@ -16,6 +17,7 @@ set certificate or certificate request public key. X509_PUBKEY *X509_get_X509_PUBKEY(X509 *x); EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req); + EVP_PKEY *X509_REQ_get0_pubkey(X509_REQ *req); int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey); X509_PUBKEY *X509_REQ_get_X509_PUBKEY(X509_REQ *x); @@ -35,8 +37,8 @@ must not be freed up after use. X509_set_pubkey() attempts to set the public key for certificate B to B. The key B should be freed up after use. -X509_REQ_get_pubkey(), X509_REQ_set_pubkey() and X509_REQ_get_X509_PUBKEY() -are similar but operate on certificate request B. +X509_REQ_get_pubkey(), X509_REQ_get0_pubkey(), X509_REQ_set_pubkey() and +X509_REQ_get_X509_PUBKEY() are similar but operate on certificate request B. =head1 NOTES @@ -51,7 +53,7 @@ X509_get_pubkey(), X509_get0_pubkey(), X509_get_X509_PUBKEY(), X509_REQ_get_pubkey() and X509_REQ_get_X509_PUBKEY() return a public key or B if an error occurred. -X509_set_pubkey() and X509_REQ_set_pubkey() rerturn 1 for success and 0 +X509_set_pubkey() and X509_REQ_set_pubkey() return 1 for success and 0 for failure. =head1 SEE ALSO diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 4f22dc3..ae2fb1d 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -696,6 +696,7 @@ int X509_REQ_get_signature_nid(const X509_REQ *req); int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp); int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey); EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req); +EVP_PKEY *X509_REQ_get0_pubkey(X509_REQ *req); X509_PUBKEY *X509_REQ_get_X509_PUBKEY(X509_REQ *req); int X509_REQ_extension_nid(int nid); int *X509_REQ_get_extension_nids(void); diff --git a/util/libcrypto.num b/util/libcrypto.num index e1ca4ef..581a84b 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4124,3 +4124,4 @@ DSA_meth_get_sign_setup 3989 1_1_0 EXIST::FUNCTION:DSA DSA_get0_engine 3990 1_1_0 EXIST::FUNCTION:DSA X509_VERIFY_PARAM_set_auth_level 3991 1_1_0 EXIST::FUNCTION: X509_VERIFY_PARAM_get_auth_level 3992 1_1_0 EXIST::FUNCTION: +X509_REQ_get0_pubkey 3993 1_1_0 EXIST::FUNCTION: From rsalz at openssl.org Mon Apr 4 19:06:55 2016 From: rsalz at openssl.org (Rich Salz) Date: Mon, 04 Apr 2016 19:06:55 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459796815.718863.26562.nullmailer@dev.openssl.org> The branch master has been updated via 2b0bcfaf834e2fb7cd52888d7330b247e3878115 (commit) via 620d540bd47a96fb6905fbbdd8ea5167a8841a3e (commit) from f6c006ea76304a52cf9212695525e1bcc6cf6c22 (commit) - Log ----------------------------------------------------------------- commit 2b0bcfaf834e2fb7cd52888d7330b247e3878115 Author: FdaSilvaYY Date: Mon Apr 4 20:42:27 2016 +0200 Fix an error code spelling. Reviewed-by: Richard Levitte Reviewed-by: Rich Salz commit 620d540bd47a96fb6905fbbdd8ea5167a8841a3e Author: FdaSilvaYY Date: Thu Mar 10 21:34:48 2016 +0100 various spelling fixes Reviewed-by: Richard Levitte Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: Configure | 20 ++++++++++---------- apps/apps.c | 4 ++-- crypto/asn1/bio_ndef.c | 2 +- crypto/bio/b_addr.c | 4 ++-- crypto/engine/eng_int.h | 2 +- crypto/include/internal/cryptlib_int.h | 2 +- crypto/include/internal/md32_common.h | 2 +- crypto/include/internal/x509_int.h | 2 +- crypto/poly1305/poly1305.c | 2 +- crypto/srp/srp_vfy.c | 2 +- crypto/x509v3/pcy_int.h | 2 +- doc/crypto/EVP_EncryptInit.pod | 2 +- include/openssl/ct.h | 8 ++++---- include/openssl/dh.h | 2 +- include/openssl/dsa.h | 2 +- include/openssl/ec.h | 12 ++++++------ include/openssl/srp.h | 2 +- include/openssl/ssl.h | 2 +- include/openssl/tls1.h | 2 +- include/openssl/ui.h | 4 ++-- include/openssl/x509_vfy.h | 2 +- ssl/d1_lib.c | 2 +- ssl/record/rec_layer_d1.c | 2 +- ssl/record/rec_layer_s3.c | 10 +++++----- ssl/s3_enc.c | 4 ++-- ssl/s3_lib.c | 2 +- ssl/ssl_cert.c | 2 +- ssl/ssl_err.c | 4 ++-- ssl/ssl_lib.c | 2 +- ssl/ssl_txt.c | 2 +- ssl/statem/statem.h | 2 +- ssl/statem/statem_clnt.c | 2 +- ssl/statem/statem_srvr.c | 2 +- ssl/t1_lib.c | 17 +++++++++-------- test/dhtest.c | 2 +- 35 files changed, 69 insertions(+), 68 deletions(-) diff --git a/Configure b/Configure index fdd8820..62e1b19 100755 --- a/Configure +++ b/Configure @@ -67,9 +67,9 @@ my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lx # RC4_CHAR use 'char' instead of 'int' for RC4_INT in crypto/rc4/rc4.h # Following are set automatically by this script # -# MD5_ASM use some extra md5 assember, -# SHA1_ASM use some extra sha1 assember, must define L_ENDIAN for x86 -# RMD160_ASM use some extra ripemd160 assember, +# MD5_ASM use some extra md5 assembler, +# SHA1_ASM use some extra sha1 assembler, must define L_ENDIAN for x86 +# RMD160_ASM use some extra ripemd160 assembler, # SHA256_ASM sha256_block is implemented in assembler # SHA512_ASM sha512_block is implemented in assembler # AES_ASM ASE_[en|de]crypt is implemented in assembler @@ -149,7 +149,7 @@ sub read_config; # resolve_config(target) # -# Resolves all the late evalutations, inheritances and so on for the +# Resolves all the late evaluations, inheritances and so on for the # chosen target and any target it inherits from. sub resolve_config; @@ -227,7 +227,7 @@ $config{sdirs} = [ my @tls = qw(ssl3 tls1 tls1_1 tls1_2); my @dtls = qw(dtls1 dtls1_2); -# Explicitelly known options that are possible to disable. They can +# Explicitly known options that are possible to disable. They can # be regexps, and will be used like this: /^no-${option}$/ # For developers: keep it sorted alphabetically @@ -701,7 +701,7 @@ foreach (@argvcopy) unless ($_ eq $target || /^no-/ || /^disable-/) { # "no-..." follows later after implied disactivations - # have been derived. (Don't take this too seroiusly, + # have been derived. (Don't take this too seriously, # we really only write OPTIONS to the Makefile out of # nostalgia.) @@ -972,7 +972,7 @@ unless ($disabled{threads}) { $disabled{threads} = "unavailable"; } } else { - # The user chose to enable threads explicitely, let's see + # The user chose to enable threads explicitly, let's see # if there's a chance that's possible if ($target{thread_scheme} eq "(unknown)") { # If the user asked for "threads" and we don't have internal @@ -2093,8 +2093,8 @@ sub read_config { } -# configuration resolver. Will only resolve all the lazy evalutation -# codeblocks for the chozen target and all those it inherits from, +# configuration resolver. Will only resolve all the lazy evaluation +# codeblocks for the chosen target and all those it inherits from, # recursively sub resolve_config { my $target = shift; @@ -2147,7 +2147,7 @@ sub resolve_config { # - If a value is a coderef, it will be executed with the list of # inherited values as arguments. # - If the corresponding key doesn't have a value at all or is the - # emoty string, the inherited value list will be run through the + # empty string, the inherited value list will be run through the # default combiner (below), and the result becomes this target's # value. # - Otherwise, this target's value is assumed to be a string that diff --git a/apps/apps.c b/apps/apps.c index 7ba12fe..4104553 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1964,9 +1964,9 @@ void policies_print(X509_STORE_CTX *ctx) * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. * outlen: (output) set to the length of the resulting buffer on success. * err: (maybe NULL) on failure, an error message line is written to this BIO. - * in: a NUL termianted string like "abc,def,ghi" + * in: a NUL terminated string like "abc,def,ghi" * - * returns: a malloced buffer or NULL on failure. + * returns: a malloc'd buffer or NULL on failure. */ unsigned char *next_protos_parse(size_t *outlen, const char *in) { diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c index 9a6eaf6..e71bd63 100644 --- a/crypto/asn1/bio_ndef.c +++ b/crypto/asn1/bio_ndef.c @@ -119,7 +119,7 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); /* - * Now let callback prepend any digest, cipher etc BIOs ASN1 structure + * Now let callback prepends any digest, cipher etc BIOs ASN1 structure * needs. */ diff --git a/crypto/bio/b_addr.c b/crypto/bio/b_addr.c index ed4c139..9323325 100644 --- a/crypto/bio/b_addr.c +++ b/crypto/bio/b_addr.c @@ -583,7 +583,7 @@ int BIO_parse_hostserv(const char *hostserv, char **host, char **service, * family, such as AF_UNIX * * the return value is 1 on success, or 0 on failure, which - * only happens if a memory allocation error occured. + * only happens if a memory allocation error occurred. */ static int addrinfo_wrap(int family, int socktype, const void *where, size_t wherelen, @@ -749,7 +749,7 @@ int BIO_lookup(const char *host, const char *service, #endif struct servent *se; - /* Apprently, on WIN64, s_proto and s_port have traded places... */ + /* Apparently, on WIN64, s_proto and s_port have traded places... */ #ifdef _WIN64 struct servent se_fallback = { NULL, NULL, NULL, 0 }; #else diff --git a/crypto/engine/eng_int.h b/crypto/engine/eng_int.h index f6a54d8..df12cde 100644 --- a/crypto/engine/eng_int.h +++ b/crypto/engine/eng_int.h @@ -207,7 +207,7 @@ struct engine_st { int struct_ref; /* * reference count on usability of the engine type. NB: This controls the - * loading and initialisation of any functionlity required by this + * loading and initialisation of any functionality required by this * engine, whereas the previous count is simply to cope with * (de)allocation of this structure. Hence, running_ref <= struct_ref at * all times. diff --git a/crypto/include/internal/cryptlib_int.h b/crypto/include/internal/cryptlib_int.h index ae30842..296853f 100644 --- a/crypto/include/internal/cryptlib_int.h +++ b/crypto/include/internal/cryptlib_int.h @@ -67,7 +67,7 @@ struct thread_local_inits_st { int ossl_init_thread_start(uint64_t opts); /* * OPENSSL_INIT flags. The primary list of these is in crypto.h. Flags below - * are those ommitted from crypto.h because they are "reserverd for internal + * are those ommitted from crypto.h because they are "reserved for internal * use". */ # define OPENSSL_INIT_ZLIB 0x00010000L diff --git a/crypto/include/internal/md32_common.h b/crypto/include/internal/md32_common.h index 156fa3a..b3d72e4 100644 --- a/crypto/include/internal/md32_common.h +++ b/crypto/include/internal/md32_common.h @@ -387,7 +387,7 @@ int HASH_FINAL(unsigned char *md, HASH_CTX *c) # if defined(__alpha) || defined(__sparcv9) || defined(__mips) # define MD32_REG_T long /* - * This comment was originaly written for MD5, which is why it + * This comment was originally written for MD5, which is why it * discusses A-D. But it basically applies to all 32-bit digests, * which is why it was moved to common header file. * diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h index fc032ae..c6fdd8d 100644 --- a/crypto/include/internal/x509_int.h +++ b/crypto/include/internal/x509_int.h @@ -109,7 +109,7 @@ struct X509_req_st { struct X509_crl_info_st { ASN1_INTEGER *version; /* version: defaults to v1(0) so may be NULL */ - X509_ALGOR sig_alg; /* signagture algorithm */ + X509_ALGOR sig_alg; /* signature algorithm */ X509_NAME *issuer; /* CRL issuer name */ ASN1_TIME *lastUpdate; /* lastUpdate field */ ASN1_TIME *nextUpdate; /* nextUpdate field: optional */ diff --git a/crypto/poly1305/poly1305.c b/crypto/poly1305/poly1305.c index 6bec8b3..8d069b9 100644 --- a/crypto/poly1305/poly1305.c +++ b/crypto/poly1305/poly1305.c @@ -94,7 +94,7 @@ typedef unsigned int u32; * POLY1305_BLOCK_SIZE and |padbit| to 0. In all other cases |padbit| * should be set to 1 to perform implicit padding with 128th bit. * poly1305_blocks does not actually check for this constraint though, - * it's caller(*)'s resposibility to comply. + * it's caller(*)'s responsibility to comply. * * (*) In the context "caller" is not application code, but higher * level Poly1305_* from this very module, so that quirks are diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 78db608..606ed8b 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -445,7 +445,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file) if (sk_SRP_user_pwd_insert(vb->users_pwd, user_pwd, 0) == 0) goto err; - user_pwd = NULL; /* abandon responsability */ + user_pwd = NULL; /* abandon responsibility */ } } } diff --git a/crypto/x509v3/pcy_int.h b/crypto/x509v3/pcy_int.h index 809dc5e..8c2ef95 100644 --- a/crypto/x509v3/pcy_int.h +++ b/crypto/x509v3/pcy_int.h @@ -168,7 +168,7 @@ struct X509_POLICY_TREE_st { * required. */ STACK_OF(X509_POLICY_DATA) *extra_data; - /* This is the authority constained policy set */ + /* This is the authority constrained policy set */ STACK_OF(X509_POLICY_NODE) *auth_policies; STACK_OF(X509_POLICY_NODE) *user_policies; unsigned int flags; diff --git a/doc/crypto/EVP_EncryptInit.pod b/doc/crypto/EVP_EncryptInit.pod index b42b64c..ad949dd 100644 --- a/doc/crypto/EVP_EncryptInit.pod +++ b/doc/crypto/EVP_EncryptInit.pod @@ -388,7 +388,7 @@ the L section below for details. =item EVP_aes_128_ocb(void), EVP_aes_192_ocb(void), EVP_aes_256_ocb(void) -Offest Codebook Mode (OCB) for 128, 192 and 256 bit keys respectively. +Offset Codebook Mode (OCB) for 128, 192 and 256 bit keys respectively. These ciphers require additional control operations to function correctly: see the L section below for details. diff --git a/include/openssl/ct.h b/include/openssl/ct.h index 0da3125..fa25c69 100644 --- a/include/openssl/ct.h +++ b/include/openssl/ct.h @@ -367,7 +367,7 @@ __owur int SCT_LIST_validate(const STACK_OF(SCT) *scts, * for data that caller is responsible for freeing (only if function returns * successfully). * If "pp" is NULL and "*pp" is not NULL, caller is responsible for ensuring - * that "*pp" is large enough to accept all of the serializied data. + * that "*pp" is large enough to accept all of the serialized data. * Returns < 0 on error, >= 0 indicating bytes written (or would have been) * on success. */ @@ -394,7 +394,7 @@ STACK_OF(SCT) *o2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, * for data that caller is responsible for freeing (only if function returns * successfully). * If "pp" is NULL and "*pp" is not NULL, caller is responsible for ensuring - * that "*pp" is large enough to accept all of the serializied data. + * that "*pp" is large enough to accept all of the serialized data. * Returns < 0 on error, >= 0 indicating bytes written (or would have been) * on success. */ @@ -428,7 +428,7 @@ __owur int i2o_SCT(const SCT *sct, unsigned char **out); * Parses an SCT in TLS format and returns it. * If |psct| is not null, it will end up pointing to the parsed SCT. If it * already points to a non-null pointer, the pointer will be free'd. - * |in| should be a pointer to a string contianing the TLS-format SCT. + * |in| should be a pointer to a string containing the TLS-format SCT. * |in| will be advanced to the end of the SCT if parsing succeeds. * |len| should be the length of the SCT in |in|. * Returns NULL if an error occurs. @@ -449,7 +449,7 @@ __owur int i2o_SCT_signature(const SCT *sct, unsigned char **out); /* * Parses an SCT signature in TLS format and populates the |sct| with it. -* |in| should be a pointer to a string contianing the TLS-format signature. +* |in| should be a pointer to a string containing the TLS-format signature. * |in| will be advanced to the end of the signature if parsing succeeds. * |len| should be the length of the signature in |in|. * Returns the number of bytes parsed, or a negative integer if an error occurs. diff --git a/include/openssl/dh.h b/include/openssl/dh.h index 2e021e2..9b3df55 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -85,7 +85,7 @@ extern "C" { /* * If this flag is set the DH method is FIPS compliant and can be used in * FIPS mode. This is set in the validated module method. If an application - * sets this flag in its own methods it is its reposibility to ensure the + * sets this flag in its own methods it is its responsibility to ensure the * result is compliant. */ diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h index 1b04584..29fc86f 100644 --- a/include/openssl/dsa.h +++ b/include/openssl/dsa.h @@ -96,7 +96,7 @@ extern "C" { /* * If this flag is set the DSA method is FIPS compliant and can be used in * FIPS mode. This is set in the validated module method. If an application - * sets this flag in its own methods it is its reposibility to ensure the + * sets this flag in its own methods it is its responsibility to ensure the * result is compliant. */ diff --git a/include/openssl/ec.h b/include/openssl/ec.h index 892239d..9a99091 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -241,7 +241,7 @@ int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx); const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group); -/** Gets the number of bits of ther order of an EC_GROUP +/** Gets the number of bits of the order of an EC_GROUP * \param group EC_GROUP object * \return number of bits of group order. */ @@ -438,7 +438,7 @@ typedef struct { /* * EC_builtin_curves(EC_builtin_curve *r, size_t size) returns number of all - * available curves or zero if a error occurred. In case r ist not zero + * available curves or zero if a error occurred. In case r is not zero, * nitems EC_builtin_curve structures are filled with the data of the first * nitems internal groups */ @@ -711,7 +711,7 @@ int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, * \param group underlying EC_GROUP object * \param r EC_POINT object for the result * \param n BIGNUM with the multiplier for the group generator (optional) - * \param num number futher summands + * \param num number further summands * \param p array of size num of EC_POINT objects * \param m array of size num of BIGNUM objects * \param ctx BN_CTX object (optional) @@ -918,7 +918,7 @@ int EC_KEY_check_key(const EC_KEY *key); */ int EC_KEY_can_sign(const EC_KEY *eckey); -/** Sets a public key from affine coordindates performing +/** Sets a public key from affine coordinates performing * necessary NIST PKV tests. * \param key the EC_KEY object * \param x public key x coordinate @@ -1142,7 +1142,7 @@ ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dgst_len, * \param dgst pointer to the hash value to sign * \param dgstlen length of the hash value * \param kinv BIGNUM with a pre-computed inverse k (optional) - * \param rp BIGNUM with a pre-computed rp value (optioanl), + * \param rp BIGNUM with a pre-computed rp value (optional), * see ECDSA_sign_setup * \param eckey EC_KEY object containing a private EC key * \return pointer to a ECDSA_SIG structure or NULL if an error occurred @@ -1193,7 +1193,7 @@ int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen, * \param sig buffer to hold the DER encoded signature * \param siglen pointer to the length of the returned signature * \param kinv BIGNUM with a pre-computed inverse k (optional) - * \param rp BIGNUM with a pre-computed rp value (optioanl), + * \param rp BIGNUM with a pre-computed rp value (optional), * see ECDSA_sign_setup * \param eckey EC_KEY object containing a private EC key * \return 1 on success and 0 otherwise diff --git a/include/openssl/srp.h b/include/openssl/srp.h index 37e7678..7a7406f 100644 --- a/include/openssl/srp.h +++ b/include/openssl/srp.h @@ -106,7 +106,7 @@ typedef struct SRP_VBASE_st { } SRP_VBASE; /* - * Structure interne pour retenir les couples N et g + * Internal structure storing N and g pair */ typedef struct SRP_gN_st { char *id; diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index ea47cb3..1aa669c 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -2481,7 +2481,7 @@ void ERR_load_SSL_strings(void); # define SSL_R_RENEGOTIATION_ENCODING_ERR 336 # define SSL_R_RENEGOTIATION_MISMATCH 337 # define SSL_R_REQUIRED_CIPHER_MISSING 215 -# define SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING 342 +# define SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING 342 # define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345 # define SSL_R_SCT_VERIFICATION_FAILED 208 # define SSL_R_SERVERHELLO_TLSEXT 275 diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index c3344e1..ffc6eb7 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -156,7 +156,7 @@ extern "C" { #endif -/* Default security level if not overriden at config time */ +/* Default security level if not overridden at config time */ # ifndef OPENSSL_TLS_SECURITY_LEVEL # define OPENSSL_TLS_SECURITY_LEVEL 1 # endif diff --git a/include/openssl/ui.h b/include/openssl/ui.h index 3d1507e..7132ebd 100644 --- a/include/openssl/ui.h +++ b/include/openssl/ui.h @@ -270,7 +270,7 @@ UI_METHOD *UI_OpenSSL(void); display a dialog box after it has been built. a reader This function is called to read a given prompt, maybe from the tty, maybe from a field in a - window. Note that it's called wth all string + window. Note that it's called with all string structures, not only the prompt ones, so it must check such things itself. a closer This function closes the session, maybe by closing @@ -355,7 +355,7 @@ int UI_get_input_flags(UI_STRING *uis); /* Return the actual string to output (the prompt, info or error) */ const char *UI_get0_output_string(UI_STRING *uis); /* - * Return the optional action string to output (the boolean promtp + * Return the optional action string to output (the boolean prompt * instruction) */ const char *UI_get0_action_string(UI_STRING *uis); diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index 093b0f3..33d5e45 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -391,7 +391,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); # define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 /* Delta CRL support */ # define X509_V_FLAG_USE_DELTAS 0x2000 -/* Check selfsigned CA signature */ +/* Check self-signed CA signature */ # define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 /* Use trusted store first */ # define X509_V_FLAG_TRUSTED_FIRST 0x8000 diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 6d75225..193f603 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -797,7 +797,7 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client) } /* - * This is unneccessary if rbio and wbio are one and the same - but + * This is unnecessary if rbio and wbio are one and the same - but * maybe they're not. We ignore errors here - some BIOs do not * support this. */ diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index 00af44e..6f9ac96 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -666,7 +666,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, if (dest_maxlen > 0) { /* - * XDTLS: In a pathalogical case, the Client Hello may be + * XDTLS: In a pathological case, the Client Hello may be * fragmented--don't always expect dest_maxlen bytes */ if (SSL3_RECORD_get_length(rr) < dest_maxlen) { diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 773a6d6..4a5907b 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -495,7 +495,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) /* * Depending on platform multi-block can deliver several *times* * better performance. Downside is that it has to allocate - * jumbo buffer to accomodate up to 8 records, but the + * jumbo buffer to accommodate up to 8 records, but the * compromise is considered worthy. */ if (type == SSL3_RT_APPLICATION_DATA && @@ -631,7 +631,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) split_send_fragment = s->split_send_fragment; /* * If max_pipelines is 0 then this means "undefined" and we default to - * 1 pipeline. Similaraly if the cipher does not support pipelined + * 1 pipeline. Similarly if the cipher does not support pipelined * processing then we also only use 1 pipeline, or if we're not using * explicit IVs */ @@ -810,7 +810,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, /* * extra fragment would be couple of cipher blocks, which would be * multiple of SSL3_ALIGN_PAYLOAD, so if we want to align the real - * payload, then we can just pretent we simply have two headers. + * payload, then we can just pretend we simply have two headers. */ align = (size_t)SSL3_BUFFER_get_buf(wb) + 2 * SSL3_RT_HEADER_LENGTH; align = (0-align) & (SSL3_ALIGN_PAYLOAD - 1); @@ -862,7 +862,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, *(outbuf[j]++) = (s->version >> 8); /* - * Some servers hang if iniatial client hello is larger than 256 bytes + * Some servers hang if initial client hello is larger than 256 bytes * and record version number > TLS 1.0 */ if (SSL_get_state(s) == TLS_ST_CW_CLNT_HELLO @@ -1445,7 +1445,7 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, /* * This is a warning but we receive it if we requested * renegotiation and the peer denied it. Terminate with a fatal - * alert because if application tried to renegotiatie it + * alert because if application tried to renegotiate it * presumably had a good reason and expects it to succeed. In * future we might have a renegotiation where we don't care if * the peer refused it where we carry on. diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 35ef948..ec5ff9b 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -231,7 +231,7 @@ int ssl3_change_cipher_state(SSL *s, int which) goto err; else /* - * make sure it's intialized in case we exit later with an error + * make sure it's initialised in case we exit later with an error */ EVP_CIPHER_CTX_reset(s->enc_read_ctx); dd = s->enc_read_ctx; @@ -262,7 +262,7 @@ int ssl3_change_cipher_state(SSL *s, int which) goto err; else /* - * make sure it's intialized in case we exit later with an error + * make sure it's initialised in case we exit later with an error */ EVP_CIPHER_CTX_reset(s->enc_write_ctx); dd = s->enc_write_ctx; diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index ef65050..fc2aac8 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3839,7 +3839,7 @@ int ssl3_shutdown(SSL *s) if (ret == -1) { /* * we only get to return -1 here the 2nd/Nth invocation, we must - * have already signalled return 0 upon a previous invoation, + * have already signalled return 0 upon a previous invocation, * return WANT_WRITE */ return (ret); diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 24ac352..8668a59 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -842,7 +842,7 @@ static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) return 1; } -/* Add certificate chain to internal SSL BUF_MEM strcuture */ +/* Add certificate chain to internal SSL BUF_MEM structure */ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) { BUF_MEM *buf = s->init_buf; diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index d0cadc6..e42849e 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -587,8 +587,8 @@ static ERR_STRING_DATA SSL_str_reasons[] = { "renegotiation encoding err"}, {ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH), "renegotiation mismatch"}, {ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING), "required cipher missing"}, - {ERR_REASON(SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING), - "required compresssion algorithm missing"}, + {ERR_REASON(SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING), + "required compression algorithm missing"}, {ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING), "scsv received when renegotiating"}, {ERR_REASON(SSL_R_SCT_VERIFICATION_FAILED), "sct verification failed"}, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index e651189..a289d3a 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3706,7 +3706,7 @@ void SSL_set_not_resumable_session_callback(SSL *ssl, /* * Allocates new EVP_MD_CTX and sets pointer to it into given pointer - * vairable, freeing EVP_MD_CTX previously stored in that variable, if any. + * variable, freeing EVP_MD_CTX previously stored in that variable, if any. * If EVP_MD pointer is passed, initializes ctx with this md Returns newly * allocated ctx; */ diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index b2c6bf7..e0f82ec 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -238,7 +238,7 @@ int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x) /* * the RSA prefix is required by the format's definition although there's - * nothing RSA-specifc in the output, therefore, we don't have to check if + * nothing RSA-specific in the output, therefore, we don't have to check if * the cipher suite is based on RSA */ if (BIO_puts(bp, "RSA ") <= 0) diff --git a/ssl/statem/statem.h b/ssl/statem/statem.h index 263a395..f8f79cf 100644 --- a/ssl/statem/statem.h +++ b/ssl/statem/statem.h @@ -54,7 +54,7 @@ /***************************************************************************** * * - * These emums should be considered PRIVATE to the state machine. No * + * These enums should be considered PRIVATE to the state machine. No * * non-state machine code should need to use these * * * *****************************************************************************/ diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 73f54bc..08b8c7d 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -870,7 +870,7 @@ int tls_construct_client_hello(SSL *s) * 1. Client hello indicates TLS 1.2 * 2. Server hello says TLS 1.0 * 3. RSA encrypted premaster secret uses 1.2. - * 4. Handhaked proceeds using TLS 1.0. + * 4. Handshake proceeds using TLS 1.0. * 5. Server sends hello request to renegotiate. * 6. Client hello indicates TLS v1.0 as we now * know that is maximum server supports. diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 23e7903..8fdf6e6 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1376,7 +1376,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) if (k >= complen) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, - SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING); + SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING); goto f_err; } } else if (s->hit) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index a20e85f..26feac9 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -767,7 +767,7 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) # ifndef OPENSSL_NO_EC /* - * tls1_check_ec_tmp_key - Check EC temporary key compatiblity + * tls1_check_ec_tmp_key - Check EC temporary key compatibility * @s: SSL connection * @cid: Cipher ID we're considering using * @@ -1179,7 +1179,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, /*- * check for enough space. - * 4 for the servername type and entension length + * 4 for the servername type and extension length * 2 for servernamelist length * 1 for the hostname type * 2 for hostname length @@ -1217,7 +1217,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, /*- * check for enough space. - * 4 for the srp type type and entension length + * 4 for the srp type type and extension length * 1 for the srp user identity * + srp user identity length */ @@ -1412,7 +1412,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, #ifndef OPENSSL_NO_NEXTPROTONEG if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { /* - * The client advertises an emtpy extension to indicate its support + * The client advertises an empty extension to indicate its support * for Next Protocol Negotiation */ if (limit - ret - 4 < 0) @@ -2002,7 +2002,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) /* * Although the server_name extension was intended to be * extensible to new name types, RFC 4366 defined the - * syntax inextensibly and OpenSSL 1.0.x parses it as + * syntax inextensibility and OpenSSL 1.0.x parses it as * such. * RFC 6066 corrected the mistake but adding new name types * is nevertheless no longer feasible, so act as if no other @@ -2231,7 +2231,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) * * s->new_session will be set on renegotiation, but we * probably shouldn't rely that it couldn't be set on - * the initial renegotation too in certain cases (when + * the initial renegotiation too in certain cases (when * there's some other reason to disallow resuming an * earlier session -- the current code won't be doing * anything like that, but this might change). @@ -2733,7 +2733,8 @@ int tls1_set_server_sigalgs(SSL *s) { int al; size_t i; - /* Clear any shared sigtnature algorithms */ + + /* Clear any shared signature algorithms */ OPENSSL_free(s->cert->shared_sigalgs); s->cert->shared_sigalgs = NULL; s->cert->shared_sigalgslen = 0; @@ -3071,7 +3072,7 @@ end: * tls_decrypt_ticket attempts to decrypt a session ticket. * * etick: points to the body of the session ticket extension. - * eticklen: the length of the session tickets extenion. + * eticklen: the length of the session tickets extension. * sess_id: points at the session ID. * sesslen: the length of the session ID. * psess: (output) on return, if a ticket was decrypted, then this is set to diff --git a/test/dhtest.c b/test/dhtest.c index 5940aa7..e15e8a8 100644 --- a/test/dhtest.c +++ b/test/dhtest.c @@ -607,7 +607,7 @@ static int run_rfc5114_tests(void) OPENSSL_free(Z1); OPENSSL_free(Z2); - fprintf(stderr, "Initalisation error RFC5114 set %d\n", i + 1); + fprintf(stderr, "Initialisation error RFC5114 set %d\n", i + 1); ERR_print_errors_fp(stderr); return 0; err: From builds at travis-ci.org Mon Apr 4 19:07:38 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 19:07:38 +0000 Subject: [openssl-commits] Fixed: FdaSilvaYY/openssl#402 (up_ref_api_unify - 4edeaa7) In-Reply-To: Message-ID: <5702bb7a8810_33f8a78239424688057@acd1db2a-604f-4220-b0cd-4cf67df92499.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #402 Status: Fixed Duration: 17 minutes and 4 seconds Commit: 4edeaa7 (up_ref_api_unify) Author: FdaSilvaYY Message: Unify _up_ref methods returned type Add a status return value. Update the docs. View the changeset: https://github.com/FdaSilvaYY/openssl/compare/7a926505d4c8...4edeaa73f233 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120673830 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 19:12:57 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 19:12:57 +0000 Subject: [openssl-commits] Build failed: openssl master.2546 Message-ID: <20160404191257.9976.95254.6FEA7895@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 20:04:13 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 20:04:13 +0000 Subject: [openssl-commits] Build failed: openssl master.2547 Message-ID: <20160404200413.9973.2943.E877A879@appveyor.com> An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Apr 4 20:06:03 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 20:06:03 +0000 Subject: [openssl-commits] Fixed: FdaSilvaYY/openssl#404 (31-03-add-option-help-details - 1917dd9) In-Reply-To: Message-ID: <5702c92acabd8_33fd0d157360413996ea@dbfa9a30-2cac-424c-81ea-3cb1521c4ab5.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #404 Status: Fixed Duration: 40 minutes and 11 seconds Commit: 1917dd9 (31-03-add-option-help-details) Author: FdaSilvaYY Message: Add help message to some progs options. View the changeset: https://github.com/FdaSilvaYY/openssl/compare/ba821e5b6964...1917dd9b8df6 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120674120 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at openssl.org Mon Apr 4 20:11:57 2016 From: rsalz at openssl.org (Rich Salz) Date: Mon, 04 Apr 2016 20:11:57 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459800717.523617.30587.nullmailer@dev.openssl.org> The branch master has been updated via e771eea6d8ca3caa48076367ee86c3b55249dcb3 (commit) via 9f2a142b13a8fc37b811bc590baf847cc6be7ab3 (commit) from 2b0bcfaf834e2fb7cd52888d7330b247e3878115 (commit) - Log ----------------------------------------------------------------- commit e771eea6d8ca3caa48076367ee86c3b55249dcb3 Author: Rich Salz Date: Mon Apr 4 16:11:43 2016 -0400 Revert "various spelling fixes" This reverts commit 620d540bd47a96fb6905fbbdd8ea5167a8841a3e. It wasn't reviewed. Reviewed-by: Rich Salz commit 9f2a142b13a8fc37b811bc590baf847cc6be7ab3 Author: Rich Salz Date: Mon Apr 4 16:11:04 2016 -0400 Revert "Fix an error code spelling." This reverts commit 2b0bcfaf834e2fb7cd52888d7330b247e3878115. It wasn't reviewed. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: Configure | 20 ++++++++++---------- apps/apps.c | 4 ++-- crypto/asn1/bio_ndef.c | 2 +- crypto/bio/b_addr.c | 4 ++-- crypto/engine/eng_int.h | 2 +- crypto/include/internal/cryptlib_int.h | 2 +- crypto/include/internal/md32_common.h | 2 +- crypto/include/internal/x509_int.h | 2 +- crypto/poly1305/poly1305.c | 2 +- crypto/srp/srp_vfy.c | 2 +- crypto/x509v3/pcy_int.h | 2 +- doc/crypto/EVP_EncryptInit.pod | 2 +- include/openssl/ct.h | 8 ++++---- include/openssl/dh.h | 2 +- include/openssl/dsa.h | 2 +- include/openssl/ec.h | 12 ++++++------ include/openssl/srp.h | 2 +- include/openssl/ssl.h | 2 +- include/openssl/tls1.h | 2 +- include/openssl/ui.h | 4 ++-- include/openssl/x509_vfy.h | 2 +- ssl/d1_lib.c | 2 +- ssl/record/rec_layer_d1.c | 2 +- ssl/record/rec_layer_s3.c | 10 +++++----- ssl/s3_enc.c | 4 ++-- ssl/s3_lib.c | 2 +- ssl/ssl_cert.c | 2 +- ssl/ssl_err.c | 4 ++-- ssl/ssl_lib.c | 2 +- ssl/ssl_txt.c | 2 +- ssl/statem/statem.h | 2 +- ssl/statem/statem_clnt.c | 2 +- ssl/statem/statem_srvr.c | 2 +- ssl/t1_lib.c | 17 ++++++++--------- test/dhtest.c | 2 +- 35 files changed, 68 insertions(+), 69 deletions(-) diff --git a/Configure b/Configure index 62e1b19..fdd8820 100755 --- a/Configure +++ b/Configure @@ -67,9 +67,9 @@ my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lx # RC4_CHAR use 'char' instead of 'int' for RC4_INT in crypto/rc4/rc4.h # Following are set automatically by this script # -# MD5_ASM use some extra md5 assembler, -# SHA1_ASM use some extra sha1 assembler, must define L_ENDIAN for x86 -# RMD160_ASM use some extra ripemd160 assembler, +# MD5_ASM use some extra md5 assember, +# SHA1_ASM use some extra sha1 assember, must define L_ENDIAN for x86 +# RMD160_ASM use some extra ripemd160 assember, # SHA256_ASM sha256_block is implemented in assembler # SHA512_ASM sha512_block is implemented in assembler # AES_ASM ASE_[en|de]crypt is implemented in assembler @@ -149,7 +149,7 @@ sub read_config; # resolve_config(target) # -# Resolves all the late evaluations, inheritances and so on for the +# Resolves all the late evalutations, inheritances and so on for the # chosen target and any target it inherits from. sub resolve_config; @@ -227,7 +227,7 @@ $config{sdirs} = [ my @tls = qw(ssl3 tls1 tls1_1 tls1_2); my @dtls = qw(dtls1 dtls1_2); -# Explicitly known options that are possible to disable. They can +# Explicitelly known options that are possible to disable. They can # be regexps, and will be used like this: /^no-${option}$/ # For developers: keep it sorted alphabetically @@ -701,7 +701,7 @@ foreach (@argvcopy) unless ($_ eq $target || /^no-/ || /^disable-/) { # "no-..." follows later after implied disactivations - # have been derived. (Don't take this too seriously, + # have been derived. (Don't take this too seroiusly, # we really only write OPTIONS to the Makefile out of # nostalgia.) @@ -972,7 +972,7 @@ unless ($disabled{threads}) { $disabled{threads} = "unavailable"; } } else { - # The user chose to enable threads explicitly, let's see + # The user chose to enable threads explicitely, let's see # if there's a chance that's possible if ($target{thread_scheme} eq "(unknown)") { # If the user asked for "threads" and we don't have internal @@ -2093,8 +2093,8 @@ sub read_config { } -# configuration resolver. Will only resolve all the lazy evaluation -# codeblocks for the chosen target and all those it inherits from, +# configuration resolver. Will only resolve all the lazy evalutation +# codeblocks for the chozen target and all those it inherits from, # recursively sub resolve_config { my $target = shift; @@ -2147,7 +2147,7 @@ sub resolve_config { # - If a value is a coderef, it will be executed with the list of # inherited values as arguments. # - If the corresponding key doesn't have a value at all or is the - # empty string, the inherited value list will be run through the + # emoty string, the inherited value list will be run through the # default combiner (below), and the result becomes this target's # value. # - Otherwise, this target's value is assumed to be a string that diff --git a/apps/apps.c b/apps/apps.c index 4104553..7ba12fe 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1964,9 +1964,9 @@ void policies_print(X509_STORE_CTX *ctx) * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. * outlen: (output) set to the length of the resulting buffer on success. * err: (maybe NULL) on failure, an error message line is written to this BIO. - * in: a NUL terminated string like "abc,def,ghi" + * in: a NUL termianted string like "abc,def,ghi" * - * returns: a malloc'd buffer or NULL on failure. + * returns: a malloced buffer or NULL on failure. */ unsigned char *next_protos_parse(size_t *outlen, const char *in) { diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c index e71bd63..9a6eaf6 100644 --- a/crypto/asn1/bio_ndef.c +++ b/crypto/asn1/bio_ndef.c @@ -119,7 +119,7 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); /* - * Now let callback prepends any digest, cipher etc BIOs ASN1 structure + * Now let callback prepend any digest, cipher etc BIOs ASN1 structure * needs. */ diff --git a/crypto/bio/b_addr.c b/crypto/bio/b_addr.c index 9323325..ed4c139 100644 --- a/crypto/bio/b_addr.c +++ b/crypto/bio/b_addr.c @@ -583,7 +583,7 @@ int BIO_parse_hostserv(const char *hostserv, char **host, char **service, * family, such as AF_UNIX * * the return value is 1 on success, or 0 on failure, which - * only happens if a memory allocation error occurred. + * only happens if a memory allocation error occured. */ static int addrinfo_wrap(int family, int socktype, const void *where, size_t wherelen, @@ -749,7 +749,7 @@ int BIO_lookup(const char *host, const char *service, #endif struct servent *se; - /* Apparently, on WIN64, s_proto and s_port have traded places... */ + /* Apprently, on WIN64, s_proto and s_port have traded places... */ #ifdef _WIN64 struct servent se_fallback = { NULL, NULL, NULL, 0 }; #else diff --git a/crypto/engine/eng_int.h b/crypto/engine/eng_int.h index df12cde..f6a54d8 100644 --- a/crypto/engine/eng_int.h +++ b/crypto/engine/eng_int.h @@ -207,7 +207,7 @@ struct engine_st { int struct_ref; /* * reference count on usability of the engine type. NB: This controls the - * loading and initialisation of any functionality required by this + * loading and initialisation of any functionlity required by this * engine, whereas the previous count is simply to cope with * (de)allocation of this structure. Hence, running_ref <= struct_ref at * all times. diff --git a/crypto/include/internal/cryptlib_int.h b/crypto/include/internal/cryptlib_int.h index 296853f..ae30842 100644 --- a/crypto/include/internal/cryptlib_int.h +++ b/crypto/include/internal/cryptlib_int.h @@ -67,7 +67,7 @@ struct thread_local_inits_st { int ossl_init_thread_start(uint64_t opts); /* * OPENSSL_INIT flags. The primary list of these is in crypto.h. Flags below - * are those ommitted from crypto.h because they are "reserved for internal + * are those ommitted from crypto.h because they are "reserverd for internal * use". */ # define OPENSSL_INIT_ZLIB 0x00010000L diff --git a/crypto/include/internal/md32_common.h b/crypto/include/internal/md32_common.h index b3d72e4..156fa3a 100644 --- a/crypto/include/internal/md32_common.h +++ b/crypto/include/internal/md32_common.h @@ -387,7 +387,7 @@ int HASH_FINAL(unsigned char *md, HASH_CTX *c) # if defined(__alpha) || defined(__sparcv9) || defined(__mips) # define MD32_REG_T long /* - * This comment was originally written for MD5, which is why it + * This comment was originaly written for MD5, which is why it * discusses A-D. But it basically applies to all 32-bit digests, * which is why it was moved to common header file. * diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h index c6fdd8d..fc032ae 100644 --- a/crypto/include/internal/x509_int.h +++ b/crypto/include/internal/x509_int.h @@ -109,7 +109,7 @@ struct X509_req_st { struct X509_crl_info_st { ASN1_INTEGER *version; /* version: defaults to v1(0) so may be NULL */ - X509_ALGOR sig_alg; /* signature algorithm */ + X509_ALGOR sig_alg; /* signagture algorithm */ X509_NAME *issuer; /* CRL issuer name */ ASN1_TIME *lastUpdate; /* lastUpdate field */ ASN1_TIME *nextUpdate; /* nextUpdate field: optional */ diff --git a/crypto/poly1305/poly1305.c b/crypto/poly1305/poly1305.c index 8d069b9..6bec8b3 100644 --- a/crypto/poly1305/poly1305.c +++ b/crypto/poly1305/poly1305.c @@ -94,7 +94,7 @@ typedef unsigned int u32; * POLY1305_BLOCK_SIZE and |padbit| to 0. In all other cases |padbit| * should be set to 1 to perform implicit padding with 128th bit. * poly1305_blocks does not actually check for this constraint though, - * it's caller(*)'s responsibility to comply. + * it's caller(*)'s resposibility to comply. * * (*) In the context "caller" is not application code, but higher * level Poly1305_* from this very module, so that quirks are diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 606ed8b..78db608 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -445,7 +445,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file) if (sk_SRP_user_pwd_insert(vb->users_pwd, user_pwd, 0) == 0) goto err; - user_pwd = NULL; /* abandon responsibility */ + user_pwd = NULL; /* abandon responsability */ } } } diff --git a/crypto/x509v3/pcy_int.h b/crypto/x509v3/pcy_int.h index 8c2ef95..809dc5e 100644 --- a/crypto/x509v3/pcy_int.h +++ b/crypto/x509v3/pcy_int.h @@ -168,7 +168,7 @@ struct X509_POLICY_TREE_st { * required. */ STACK_OF(X509_POLICY_DATA) *extra_data; - /* This is the authority constrained policy set */ + /* This is the authority constained policy set */ STACK_OF(X509_POLICY_NODE) *auth_policies; STACK_OF(X509_POLICY_NODE) *user_policies; unsigned int flags; diff --git a/doc/crypto/EVP_EncryptInit.pod b/doc/crypto/EVP_EncryptInit.pod index ad949dd..b42b64c 100644 --- a/doc/crypto/EVP_EncryptInit.pod +++ b/doc/crypto/EVP_EncryptInit.pod @@ -388,7 +388,7 @@ the L section below for details. =item EVP_aes_128_ocb(void), EVP_aes_192_ocb(void), EVP_aes_256_ocb(void) -Offset Codebook Mode (OCB) for 128, 192 and 256 bit keys respectively. +Offest Codebook Mode (OCB) for 128, 192 and 256 bit keys respectively. These ciphers require additional control operations to function correctly: see the L section below for details. diff --git a/include/openssl/ct.h b/include/openssl/ct.h index fa25c69..0da3125 100644 --- a/include/openssl/ct.h +++ b/include/openssl/ct.h @@ -367,7 +367,7 @@ __owur int SCT_LIST_validate(const STACK_OF(SCT) *scts, * for data that caller is responsible for freeing (only if function returns * successfully). * If "pp" is NULL and "*pp" is not NULL, caller is responsible for ensuring - * that "*pp" is large enough to accept all of the serialized data. + * that "*pp" is large enough to accept all of the serializied data. * Returns < 0 on error, >= 0 indicating bytes written (or would have been) * on success. */ @@ -394,7 +394,7 @@ STACK_OF(SCT) *o2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, * for data that caller is responsible for freeing (only if function returns * successfully). * If "pp" is NULL and "*pp" is not NULL, caller is responsible for ensuring - * that "*pp" is large enough to accept all of the serialized data. + * that "*pp" is large enough to accept all of the serializied data. * Returns < 0 on error, >= 0 indicating bytes written (or would have been) * on success. */ @@ -428,7 +428,7 @@ __owur int i2o_SCT(const SCT *sct, unsigned char **out); * Parses an SCT in TLS format and returns it. * If |psct| is not null, it will end up pointing to the parsed SCT. If it * already points to a non-null pointer, the pointer will be free'd. - * |in| should be a pointer to a string containing the TLS-format SCT. + * |in| should be a pointer to a string contianing the TLS-format SCT. * |in| will be advanced to the end of the SCT if parsing succeeds. * |len| should be the length of the SCT in |in|. * Returns NULL if an error occurs. @@ -449,7 +449,7 @@ __owur int i2o_SCT_signature(const SCT *sct, unsigned char **out); /* * Parses an SCT signature in TLS format and populates the |sct| with it. -* |in| should be a pointer to a string containing the TLS-format signature. +* |in| should be a pointer to a string contianing the TLS-format signature. * |in| will be advanced to the end of the signature if parsing succeeds. * |len| should be the length of the signature in |in|. * Returns the number of bytes parsed, or a negative integer if an error occurs. diff --git a/include/openssl/dh.h b/include/openssl/dh.h index 9b3df55..2e021e2 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -85,7 +85,7 @@ extern "C" { /* * If this flag is set the DH method is FIPS compliant and can be used in * FIPS mode. This is set in the validated module method. If an application - * sets this flag in its own methods it is its responsibility to ensure the + * sets this flag in its own methods it is its reposibility to ensure the * result is compliant. */ diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h index 29fc86f..1b04584 100644 --- a/include/openssl/dsa.h +++ b/include/openssl/dsa.h @@ -96,7 +96,7 @@ extern "C" { /* * If this flag is set the DSA method is FIPS compliant and can be used in * FIPS mode. This is set in the validated module method. If an application - * sets this flag in its own methods it is its responsibility to ensure the + * sets this flag in its own methods it is its reposibility to ensure the * result is compliant. */ diff --git a/include/openssl/ec.h b/include/openssl/ec.h index 9a99091..892239d 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -241,7 +241,7 @@ int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx); const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group); -/** Gets the number of bits of the order of an EC_GROUP +/** Gets the number of bits of ther order of an EC_GROUP * \param group EC_GROUP object * \return number of bits of group order. */ @@ -438,7 +438,7 @@ typedef struct { /* * EC_builtin_curves(EC_builtin_curve *r, size_t size) returns number of all - * available curves or zero if a error occurred. In case r is not zero, + * available curves or zero if a error occurred. In case r ist not zero * nitems EC_builtin_curve structures are filled with the data of the first * nitems internal groups */ @@ -711,7 +711,7 @@ int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, * \param group underlying EC_GROUP object * \param r EC_POINT object for the result * \param n BIGNUM with the multiplier for the group generator (optional) - * \param num number further summands + * \param num number futher summands * \param p array of size num of EC_POINT objects * \param m array of size num of BIGNUM objects * \param ctx BN_CTX object (optional) @@ -918,7 +918,7 @@ int EC_KEY_check_key(const EC_KEY *key); */ int EC_KEY_can_sign(const EC_KEY *eckey); -/** Sets a public key from affine coordinates performing +/** Sets a public key from affine coordindates performing * necessary NIST PKV tests. * \param key the EC_KEY object * \param x public key x coordinate @@ -1142,7 +1142,7 @@ ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dgst_len, * \param dgst pointer to the hash value to sign * \param dgstlen length of the hash value * \param kinv BIGNUM with a pre-computed inverse k (optional) - * \param rp BIGNUM with a pre-computed rp value (optional), + * \param rp BIGNUM with a pre-computed rp value (optioanl), * see ECDSA_sign_setup * \param eckey EC_KEY object containing a private EC key * \return pointer to a ECDSA_SIG structure or NULL if an error occurred @@ -1193,7 +1193,7 @@ int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen, * \param sig buffer to hold the DER encoded signature * \param siglen pointer to the length of the returned signature * \param kinv BIGNUM with a pre-computed inverse k (optional) - * \param rp BIGNUM with a pre-computed rp value (optional), + * \param rp BIGNUM with a pre-computed rp value (optioanl), * see ECDSA_sign_setup * \param eckey EC_KEY object containing a private EC key * \return 1 on success and 0 otherwise diff --git a/include/openssl/srp.h b/include/openssl/srp.h index 7a7406f..37e7678 100644 --- a/include/openssl/srp.h +++ b/include/openssl/srp.h @@ -106,7 +106,7 @@ typedef struct SRP_VBASE_st { } SRP_VBASE; /* - * Internal structure storing N and g pair + * Structure interne pour retenir les couples N et g */ typedef struct SRP_gN_st { char *id; diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 1aa669c..ea47cb3 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -2481,7 +2481,7 @@ void ERR_load_SSL_strings(void); # define SSL_R_RENEGOTIATION_ENCODING_ERR 336 # define SSL_R_RENEGOTIATION_MISMATCH 337 # define SSL_R_REQUIRED_CIPHER_MISSING 215 -# define SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING 342 +# define SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING 342 # define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345 # define SSL_R_SCT_VERIFICATION_FAILED 208 # define SSL_R_SERVERHELLO_TLSEXT 275 diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index ffc6eb7..c3344e1 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -156,7 +156,7 @@ extern "C" { #endif -/* Default security level if not overridden at config time */ +/* Default security level if not overriden at config time */ # ifndef OPENSSL_TLS_SECURITY_LEVEL # define OPENSSL_TLS_SECURITY_LEVEL 1 # endif diff --git a/include/openssl/ui.h b/include/openssl/ui.h index 7132ebd..3d1507e 100644 --- a/include/openssl/ui.h +++ b/include/openssl/ui.h @@ -270,7 +270,7 @@ UI_METHOD *UI_OpenSSL(void); display a dialog box after it has been built. a reader This function is called to read a given prompt, maybe from the tty, maybe from a field in a - window. Note that it's called with all string + window. Note that it's called wth all string structures, not only the prompt ones, so it must check such things itself. a closer This function closes the session, maybe by closing @@ -355,7 +355,7 @@ int UI_get_input_flags(UI_STRING *uis); /* Return the actual string to output (the prompt, info or error) */ const char *UI_get0_output_string(UI_STRING *uis); /* - * Return the optional action string to output (the boolean prompt + * Return the optional action string to output (the boolean promtp * instruction) */ const char *UI_get0_action_string(UI_STRING *uis); diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index 33d5e45..093b0f3 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -391,7 +391,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); # define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 /* Delta CRL support */ # define X509_V_FLAG_USE_DELTAS 0x2000 -/* Check self-signed CA signature */ +/* Check selfsigned CA signature */ # define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 /* Use trusted store first */ # define X509_V_FLAG_TRUSTED_FIRST 0x8000 diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 193f603..6d75225 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -797,7 +797,7 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client) } /* - * This is unnecessary if rbio and wbio are one and the same - but + * This is unneccessary if rbio and wbio are one and the same - but * maybe they're not. We ignore errors here - some BIOs do not * support this. */ diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index 6f9ac96..00af44e 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -666,7 +666,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, if (dest_maxlen > 0) { /* - * XDTLS: In a pathological case, the Client Hello may be + * XDTLS: In a pathalogical case, the Client Hello may be * fragmented--don't always expect dest_maxlen bytes */ if (SSL3_RECORD_get_length(rr) < dest_maxlen) { diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 4a5907b..773a6d6 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -495,7 +495,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) /* * Depending on platform multi-block can deliver several *times* * better performance. Downside is that it has to allocate - * jumbo buffer to accommodate up to 8 records, but the + * jumbo buffer to accomodate up to 8 records, but the * compromise is considered worthy. */ if (type == SSL3_RT_APPLICATION_DATA && @@ -631,7 +631,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) split_send_fragment = s->split_send_fragment; /* * If max_pipelines is 0 then this means "undefined" and we default to - * 1 pipeline. Similarly if the cipher does not support pipelined + * 1 pipeline. Similaraly if the cipher does not support pipelined * processing then we also only use 1 pipeline, or if we're not using * explicit IVs */ @@ -810,7 +810,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, /* * extra fragment would be couple of cipher blocks, which would be * multiple of SSL3_ALIGN_PAYLOAD, so if we want to align the real - * payload, then we can just pretend we simply have two headers. + * payload, then we can just pretent we simply have two headers. */ align = (size_t)SSL3_BUFFER_get_buf(wb) + 2 * SSL3_RT_HEADER_LENGTH; align = (0-align) & (SSL3_ALIGN_PAYLOAD - 1); @@ -862,7 +862,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, *(outbuf[j]++) = (s->version >> 8); /* - * Some servers hang if initial client hello is larger than 256 bytes + * Some servers hang if iniatial client hello is larger than 256 bytes * and record version number > TLS 1.0 */ if (SSL_get_state(s) == TLS_ST_CW_CLNT_HELLO @@ -1445,7 +1445,7 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, /* * This is a warning but we receive it if we requested * renegotiation and the peer denied it. Terminate with a fatal - * alert because if application tried to renegotiate it + * alert because if application tried to renegotiatie it * presumably had a good reason and expects it to succeed. In * future we might have a renegotiation where we don't care if * the peer refused it where we carry on. diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index ec5ff9b..35ef948 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -231,7 +231,7 @@ int ssl3_change_cipher_state(SSL *s, int which) goto err; else /* - * make sure it's initialised in case we exit later with an error + * make sure it's intialized in case we exit later with an error */ EVP_CIPHER_CTX_reset(s->enc_read_ctx); dd = s->enc_read_ctx; @@ -262,7 +262,7 @@ int ssl3_change_cipher_state(SSL *s, int which) goto err; else /* - * make sure it's initialised in case we exit later with an error + * make sure it's intialized in case we exit later with an error */ EVP_CIPHER_CTX_reset(s->enc_write_ctx); dd = s->enc_write_ctx; diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index fc2aac8..ef65050 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3839,7 +3839,7 @@ int ssl3_shutdown(SSL *s) if (ret == -1) { /* * we only get to return -1 here the 2nd/Nth invocation, we must - * have already signalled return 0 upon a previous invocation, + * have already signalled return 0 upon a previous invoation, * return WANT_WRITE */ return (ret); diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 8668a59..24ac352 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -842,7 +842,7 @@ static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) return 1; } -/* Add certificate chain to internal SSL BUF_MEM structure */ +/* Add certificate chain to internal SSL BUF_MEM strcuture */ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) { BUF_MEM *buf = s->init_buf; diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index e42849e..d0cadc6 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -587,8 +587,8 @@ static ERR_STRING_DATA SSL_str_reasons[] = { "renegotiation encoding err"}, {ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH), "renegotiation mismatch"}, {ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING), "required cipher missing"}, - {ERR_REASON(SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING), - "required compression algorithm missing"}, + {ERR_REASON(SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING), + "required compresssion algorithm missing"}, {ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING), "scsv received when renegotiating"}, {ERR_REASON(SSL_R_SCT_VERIFICATION_FAILED), "sct verification failed"}, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index a289d3a..e651189 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -3706,7 +3706,7 @@ void SSL_set_not_resumable_session_callback(SSL *ssl, /* * Allocates new EVP_MD_CTX and sets pointer to it into given pointer - * variable, freeing EVP_MD_CTX previously stored in that variable, if any. + * vairable, freeing EVP_MD_CTX previously stored in that variable, if any. * If EVP_MD pointer is passed, initializes ctx with this md Returns newly * allocated ctx; */ diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index e0f82ec..b2c6bf7 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -238,7 +238,7 @@ int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x) /* * the RSA prefix is required by the format's definition although there's - * nothing RSA-specific in the output, therefore, we don't have to check if + * nothing RSA-specifc in the output, therefore, we don't have to check if * the cipher suite is based on RSA */ if (BIO_puts(bp, "RSA ") <= 0) diff --git a/ssl/statem/statem.h b/ssl/statem/statem.h index f8f79cf..263a395 100644 --- a/ssl/statem/statem.h +++ b/ssl/statem/statem.h @@ -54,7 +54,7 @@ /***************************************************************************** * * - * These enums should be considered PRIVATE to the state machine. No * + * These emums should be considered PRIVATE to the state machine. No * * non-state machine code should need to use these * * * *****************************************************************************/ diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 08b8c7d..73f54bc 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -870,7 +870,7 @@ int tls_construct_client_hello(SSL *s) * 1. Client hello indicates TLS 1.2 * 2. Server hello says TLS 1.0 * 3. RSA encrypted premaster secret uses 1.2. - * 4. Handshake proceeds using TLS 1.0. + * 4. Handhaked proceeds using TLS 1.0. * 5. Server sends hello request to renegotiate. * 6. Client hello indicates TLS v1.0 as we now * know that is maximum server supports. diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 8fdf6e6..23e7903 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1376,7 +1376,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) if (k >= complen) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, - SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING); + SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING); goto f_err; } } else if (s->hit) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 26feac9..a20e85f 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -767,7 +767,7 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) # ifndef OPENSSL_NO_EC /* - * tls1_check_ec_tmp_key - Check EC temporary key compatibility + * tls1_check_ec_tmp_key - Check EC temporary key compatiblity * @s: SSL connection * @cid: Cipher ID we're considering using * @@ -1179,7 +1179,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, /*- * check for enough space. - * 4 for the servername type and extension length + * 4 for the servername type and entension length * 2 for servernamelist length * 1 for the hostname type * 2 for hostname length @@ -1217,7 +1217,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, /*- * check for enough space. - * 4 for the srp type type and extension length + * 4 for the srp type type and entension length * 1 for the srp user identity * + srp user identity length */ @@ -1412,7 +1412,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, #ifndef OPENSSL_NO_NEXTPROTONEG if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { /* - * The client advertises an empty extension to indicate its support + * The client advertises an emtpy extension to indicate its support * for Next Protocol Negotiation */ if (limit - ret - 4 < 0) @@ -2002,7 +2002,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) /* * Although the server_name extension was intended to be * extensible to new name types, RFC 4366 defined the - * syntax inextensibility and OpenSSL 1.0.x parses it as + * syntax inextensibly and OpenSSL 1.0.x parses it as * such. * RFC 6066 corrected the mistake but adding new name types * is nevertheless no longer feasible, so act as if no other @@ -2231,7 +2231,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, PACKET *pkt, int *al) * * s->new_session will be set on renegotiation, but we * probably shouldn't rely that it couldn't be set on - * the initial renegotiation too in certain cases (when + * the initial renegotation too in certain cases (when * there's some other reason to disallow resuming an * earlier session -- the current code won't be doing * anything like that, but this might change). @@ -2733,8 +2733,7 @@ int tls1_set_server_sigalgs(SSL *s) { int al; size_t i; - - /* Clear any shared signature algorithms */ + /* Clear any shared sigtnature algorithms */ OPENSSL_free(s->cert->shared_sigalgs); s->cert->shared_sigalgs = NULL; s->cert->shared_sigalgslen = 0; @@ -3072,7 +3071,7 @@ end: * tls_decrypt_ticket attempts to decrypt a session ticket. * * etick: points to the body of the session ticket extension. - * eticklen: the length of the session tickets extension. + * eticklen: the length of the session tickets extenion. * sess_id: points at the session ID. * sesslen: the length of the session ID. * psess: (output) on return, if a ticket was decrypted, then this is set to diff --git a/test/dhtest.c b/test/dhtest.c index e15e8a8..5940aa7 100644 --- a/test/dhtest.c +++ b/test/dhtest.c @@ -607,7 +607,7 @@ static int run_rfc5114_tests(void) OPENSSL_free(Z1); OPENSSL_free(Z2); - fprintf(stderr, "Initialisation error RFC5114 set %d\n", i + 1); + fprintf(stderr, "Initalisation error RFC5114 set %d\n", i + 1); ERR_print_errors_fp(stderr); return 0; err: From builds at travis-ci.org Mon Apr 4 20:39:58 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 20:39:58 +0000 Subject: [openssl-commits] Fixed: FdaSilvaYY/openssl#405 (ex_data-fixes - 4fcdec4) In-Reply-To: Message-ID: <5702d11dc9a7e_33fd0d32c3b641458692@dbfa9a30-2cac-424c-81ea-3cb1521c4ab5.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #405 Status: Fixed Duration: 42 minutes and 35 seconds Commit: 4fcdec4 (ex_data-fixes) Author: FdaSilvaYY Message: Add checks on CRYPTO_new_ex_data return value, adapted to new multi-threading API changes. Once reference, lock, meth, and flag fields are setup, DSA_free/DH_free can be called directly. View the changeset: https://github.com/FdaSilvaYY/openssl/compare/278dac43f97c...4fcdec46cc1d View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120674243 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 21:03:15 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 21:03:15 +0000 Subject: [openssl-commits] Build failed: openssl master.2549 Message-ID: <20160404210315.9990.70346.B0A54792@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 21:59:20 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 21:59:20 +0000 Subject: [openssl-commits] Build failed: openssl master.2550 Message-ID: <20160404215914.97867.87383.DF23E0EC@appveyor.com> An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Apr 4 22:12:39 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 22:12:39 +0000 Subject: [openssl-commits] Broken: openssl/openssl#3240 (master - f6c006e) In-Reply-To: Message-ID: <5702e6d8d9f93_33fd0da0b5fa0160905e@dbfa9a30-2cac-424c-81ea-3cb1521c4ab5.mail> Build Update for openssl/openssl ------------------------------------- Build: #3240 Status: Broken Duration: 30 minutes and 28 seconds Commit: f6c006e (master) Author: FdaSilvaYY Message: Fix a possible leak on NETSCAPE_SPKI_verify failure. Reviewed-by: Stephen Henson Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/6c13488c4e75...f6c006ea7630 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120703918 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Apr 4 22:32:27 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 22:32:27 +0000 Subject: [openssl-commits] Broken: openssl/openssl#3241 (master - 2b0bcfa) In-Reply-To: Message-ID: <5702eb7b54609_33f8a7f0b2374868421@acd1db2a-604f-4220-b0cd-4cf67df92499.mail> Build Update for openssl/openssl ------------------------------------- Build: #3241 Status: Broken Duration: 27 minutes and 35 seconds Commit: 2b0bcfa (master) Author: FdaSilvaYY Message: Fix an error code spelling. Reviewed-by: Richard Levitte Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/f6c006ea7630...2b0bcfaf834e View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120704260 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Apr 4 22:33:57 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 22:33:57 +0000 Subject: [openssl-commits] Still Failing: FdaSilvaYY/openssl#410 (X509_REQ_to_X509 - ad072cb) In-Reply-To: Message-ID: <5702ebd5124b1_33ff0e263ab74364091@8955cc38-88e2-4a2d-9489-098574516b9f.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #410 Status: Still Failing Duration: 37 minutes and 0 seconds Commit: ad072cb (X509_REQ_to_X509) Author: FdaSilvaYY Message: Fix a possible leak on NETSCAPE_SPKI_verify failure. View the changeset: https://github.com/FdaSilvaYY/openssl/compare/0fc33b842b5f...ad072cbf671d View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120697683 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at openssl.org Mon Apr 4 22:45:01 2016 From: rsalz at openssl.org (Rich Salz) Date: Mon, 04 Apr 2016 22:45:01 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459809901.077556.23113.nullmailer@dev.openssl.org> The branch master has been updated via 3e3957816c131e536b0b5122b65dcbe28ee6e0ac (commit) via b2be6ed0509315d15a75f7c7c9c19e04d6b8949e (commit) via 76c1183dee1699601d843663c86e90fff2c23934 (commit) from e771eea6d8ca3caa48076367ee86c3b55249dcb3 (commit) - Log ----------------------------------------------------------------- commit 3e3957816c131e536b0b5122b65dcbe28ee6e0ac Author: Viktor Szakats Date: Tue Mar 29 21:30:11 2016 +0200 set exec attribute for .pl files Reviewed-by: Richard Levitte Reviewed-by: Rich Salz commit b2be6ed0509315d15a75f7c7c9c19e04d6b8949e Author: Viktor Szakats Date: Tue Mar 29 21:26:39 2016 +0200 fix perl shebang Reviewed-by: Richard Levitte Reviewed-by: Rich Salz commit 76c1183dee1699601d843663c86e90fff2c23934 Author: Viktor Szakats Date: Tue Mar 29 16:25:18 2016 +0200 use whitespace more consistently Reviewed-by: Richard Levitte Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: ms/cmp.pl | 60 +++++++++++++++++++++++++++++----------------------------- ms/segrenam.pl | 40 +++++++++++++++++++-------------------- 2 files changed, 50 insertions(+), 50 deletions(-) mode change 100644 => 100755 ms/cmp.pl mode change 100644 => 100755 ms/segrenam.pl diff --git a/ms/cmp.pl b/ms/cmp.pl old mode 100644 new mode 100755 index 95b257f..31d7e1e --- a/ms/cmp.pl +++ b/ms/cmp.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl ($#ARGV == 1) || die "usage: cmp.pl \n"; @@ -10,38 +10,38 @@ binmode IN1; $tot=0; $ret=1; for (;;) - { - $n1=sysread(IN0,$b1,4096); - $n2=sysread(IN1,$b2,4096); +{ + $n1=sysread(IN0,$b1,4096); + $n2=sysread(IN1,$b2,4096); - last if ($n1 != $n2); - last if ($b1 ne $b2); - last if ($n1 < 0); - if ($n1 == 0) - { - $ret=0; - last; - } - $tot+=$n1; - } + last if ($n1 != $n2); + last if ($b1 ne $b2); + last if ($n1 < 0); + if ($n1 == 0) + { + $ret=0; + last; + } + $tot+=$n1; +} close(IN0); close(IN1); if ($ret) - { - printf STDERR "$ARGV[0] and $ARGV[1] are different\n"; - @a1=unpack("C*",$b1); - @a2=unpack("C*",$b2); - for ($i=0; $i<=$#a1; $i++) - { - if ($a1[$i] ne $a2[$i]) - { - printf "%02X %02X <<\n",$a1[$i],$a2[$i]; - last; - } - } - $nm=$tot+$n1; - $tot+=$i+1; - printf STDERR "diff at char $tot of $nm\n"; - } +{ + printf STDERR "$ARGV[0] and $ARGV[1] are different\n"; + @a1=unpack("C*",$b1); + @a2=unpack("C*",$b2); + for ($i=0; $i<=$#a1; $i++) + { + if ($a1[$i] ne $a2[$i]) + { + printf "%02X %02X <<\n",$a1[$i],$a2[$i]; + last; + } + } + $nm=$tot+$n1; + $tot+=$i+1; + printf STDERR "diff at char $tot of $nm\n"; +} exit($ret); diff --git a/ms/segrenam.pl b/ms/segrenam.pl old mode 100644 new mode 100755 index 2ab22a0..7e64c8e --- a/ms/segrenam.pl +++ b/ms/segrenam.pl @@ -7,17 +7,17 @@ unpack("L",pack("N",1))!=1 || die "only little-endian hosts are supported"; # first argument can specify custom suffix... $suffix=(@ARGV[0]=~/^\$/) ? shift(@ARGV) : "\$m"; ################################################################# -# rename segments in COFF modules according to %map table below # -%map=( ".text" => "fipstx$suffix", # - ".text\$"=> "fipstx$suffix", # - ".rdata"=> "fipsrd$suffix", # - ".data" => "fipsda$suffix" ); # +# rename segments in COFF modules according to %map table below # +%map=( ".text" => "fipstx$suffix", # + ".text\$"=> "fipstx$suffix", # + ".rdata" => "fipsrd$suffix", # + ".data" => "fipsda$suffix" ); # ################################################################# # collect file list foreach (@ARGV) { - if (/\*/) { push(@files,glob($_)); } - else { push(@files,$_); } + if (/\*/) { push(@files,glob($_)); } + else { push(@files,$_); } } use Fcntl; @@ -33,13 +33,13 @@ foreach (@files) { sysread(FD,$mz,64)==64 || die "$file is too short"; @dos_header=unpack("a2C58I",$mz); if (@dos_header[0] eq "MZ") { - $e_lfanew=pop(@dos_header); - sysseek(FD,$e_lfanew,SEEK_SET) || die "$file is too short"; - sysread(FD,$Magic,4)==4 || die "$file is too short"; - unpack("I",$Magic)==0x4550 || die "$file is not COFF image"; + $e_lfanew=pop(@dos_header); + sysseek(FD,$e_lfanew,SEEK_SET) || die "$file is too short"; + sysread(FD,$Magic,4)==4 || die "$file is too short"; + unpack("I",$Magic)==0x4550 || die "$file is not COFF image"; } elsif ($file =~ /\.obj$/i) { - # .obj files have no IMAGE_DOS_HEADER - sysseek(FD,0,SEEK_SET) || die "unable to rewind $file"; + # .obj files have no IMAGE_DOS_HEADER + sysseek(FD,0,SEEK_SET) || die "unable to rewind $file"; } else { next; } # read IMAGE_FILE_HEADER @@ -53,13 +53,13 @@ foreach (@files) { # traverse IMAGE_SECTION_HEADER table for($i=0;$i<$NumberOfSections;$i++) { - sysread(FD,$SectionHeader,40)==40 || die "$file is too short"; - ($Name, at opaque)=unpack("Z8C*",$SectionHeader); - if ($map{$Name}) { - sysseek(FD,-40,SEEK_CUR) || die "unable to rewind $file"; - syswrite(FD,pack("a8C*",$map{$Name}, at opaque))==40 || die "syswrite failed: $!"; - printf " %-8s -> %.8s\n",$Name,$map{$Name} unless $quiet; - } + sysread(FD,$SectionHeader,40)==40 || die "$file is too short"; + ($Name, at opaque)=unpack("Z8C*",$SectionHeader); + if ($map{$Name}) { + sysseek(FD,-40,SEEK_CUR) || die "unable to rewind $file"; + syswrite(FD,pack("a8C*",$map{$Name}, at opaque))==40 || die "syswrite failed: $!"; + printf " %-8s -> %.8s\n",$Name,$map{$Name} unless $quiet; + } } close(FD); } From rsalz at openssl.org Mon Apr 4 22:51:30 2016 From: rsalz at openssl.org (Rich Salz) Date: Mon, 04 Apr 2016 22:51:30 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459810290.899222.27100.nullmailer@dev.openssl.org> The branch master has been updated via 173f613b6a9029f34454b642ee4f3db6c6566fcb (commit) from 3e3957816c131e536b0b5122b65dcbe28ee6e0ac (commit) - Log ----------------------------------------------------------------- commit 173f613b6a9029f34454b642ee4f3db6c6566fcb Author: FdaSilvaYY Date: Tue Apr 5 00:13:06 2016 +0200 Fix a shadow symbol warning ... comes from c5137473bdc7. Fix Travis builds. Reviewed-by: Richard Levitte Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: apps/req.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/apps/req.c b/apps/req.c index 561cccc..b6a545f 100644 --- a/apps/req.c +++ b/apps/req.c @@ -739,15 +739,15 @@ int req_main(int argc, char **argv) } if (verify && !x509) { - EVP_PKEY *pubkey = pkey; + EVP_PKEY *tpubkey = pkey; - if (pubkey == NULL) { - pubkey = X509_REQ_get0_pubkey(req); - if (pubkey == NULL) + if (tpubkey == NULL) { + tpubkey = X509_REQ_get0_pubkey(req); + if (tpubkey == NULL) goto end; } - i = X509_REQ_verify(req, pubkey); + i = X509_REQ_verify(req, tpubkey); if (i < 0) { goto end; From builds at travis-ci.org Mon Apr 4 22:53:15 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 22:53:15 +0000 Subject: [openssl-commits] Broken: openssl/openssl#3242 (master - e771eea) In-Reply-To: Message-ID: <5702f05b145ea_33fd0d323817c16668d2@dbfa9a30-2cac-424c-81ea-3cb1521c4ab5.mail> Build Update for openssl/openssl ------------------------------------- Build: #3242 Status: Broken Duration: 27 minutes and 53 seconds Commit: e771eea (master) Author: Rich Salz Message: Revert "various spelling fixes" This reverts commit 620d540bd47a96fb6905fbbdd8ea5167a8841a3e. It wasn't reviewed. Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/2b0bcfaf834e...e771eea6d8ca View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120719387 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Mon Apr 4 22:54:37 2016 From: no-reply at appveyor.com (AppVeyor) Date: Mon, 04 Apr 2016 22:54:37 +0000 Subject: [openssl-commits] Build failed: openssl master.2551 Message-ID: <20160404225437.9980.64988.A7717819@appveyor.com> An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Apr 4 23:26:37 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 23:26:37 +0000 Subject: [openssl-commits] Failed: FdaSilvaYY/openssl#412 (01-04-handle-failed-ssl-ctx-alloc - ac665fa) In-Reply-To: Message-ID: <5702f82d7af93_33fd0d323968017060e6@dbfa9a30-2cac-424c-81ea-3cb1521c4ab5.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #412 Status: Failed Duration: 34 minutes and 5 seconds Commit: ac665fa (01-04-handle-failed-ssl-ctx-alloc) Author: FdaSilvaYY Message: Fix some malloc failure crashes on X509_STORE_CTX_set_ex_data from BoringSSL 306ece31bcaaed49e0240a2e5555f8901ebb2d45 View the changeset: https://github.com/FdaSilvaYY/openssl/commit/ac665fa91410 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120700403 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Apr 4 23:47:15 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 23:47:15 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3245 (master - 3e39578) In-Reply-To: Message-ID: <5702fd04abdc0_33ff0dcb39ab840580@8955cc38-88e2-4a2d-9489-098574516b9f.mail> Build Update for openssl/openssl ------------------------------------- Build: #3245 Status: Still Failing Duration: 23 minutes and 1 second Commit: 3e39578 (master) Author: Viktor Szakats Message: set exec attribute for .pl files Reviewed-by: Richard Levitte Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/e771eea6d8ca...3e3957816c13 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120756154 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Mon Apr 4 23:51:41 2016 From: builds at travis-ci.org (Travis CI) Date: Mon, 04 Apr 2016 23:51:41 +0000 Subject: [openssl-commits] Errored: FdaSilvaYY/openssl#413 (fix-shadow-warning-in-build - f9125db) In-Reply-To: Message-ID: <5702fe0cc4883_33ff0dc9f73d04064bc@8955cc38-88e2-4a2d-9489-098574516b9f.mail> Build Update for FdaSilvaYY/openssl ------------------------------------- Build: #413 Status: Errored Duration: 35 minutes and 49 seconds Commit: f9125db (fix-shadow-warning-in-build) Author: FdaSilvaYY Message: Fix a shadow symbol warning ... comes from c5137473bdc7. Fix Travis builds. View the changeset: https://github.com/FdaSilvaYY/openssl/compare/0517538d1a39^...f9125db72be0 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/120749205 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Tue Apr 5 00:09:42 2016 From: builds at travis-ci.org (Travis CI) Date: Tue, 05 Apr 2016 00:09:42 +0000 Subject: [openssl-commits] Still Failing: openssl/openssl#3246 (master - 173f613) In-Reply-To: Message-ID: <570302464a05e_33fb2ef2b7f50701cf@77656252-b11c-4d9b-aab2-8f2a58be9791.mail> Build Update for openssl/openssl ------------------------------------- Build: #3246 Status: Still Failing Duration: 29 minutes and 12 seconds Commit: 173f613 (master) Author: FdaSilvaYY Message: Fix a shadow symbol warning ... comes from c5137473bdc7. Fix Travis builds. Reviewed-by: Richard Levitte Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/3e3957816c13...173f613b6a90 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120757521 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Apr 5 02:18:52 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 02:18:52 +0000 Subject: [openssl-commits] Build failed: openssl master.2558 Message-ID: <20160405021851.94562.4385.9793F352@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Apr 5 03:12:37 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 03:12:37 +0000 Subject: [openssl-commits] Build failed: openssl master.2559 Message-ID: <20160405031237.9080.3670.FA805B93@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Apr 5 04:00:56 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 04:00:56 +0000 Subject: [openssl-commits] Build failed: openssl master.2560 Message-ID: <20160405040055.32761.99504.FB4AACA9@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Apr 5 04:58:12 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 04:58:12 +0000 Subject: [openssl-commits] Build failed: openssl master.2561 Message-ID: <20160405045810.97855.75778.33E09E70@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Apr 5 05:56:21 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 05:56:21 +0000 Subject: [openssl-commits] Build failed: openssl master.2563 Message-ID: <20160405055617.49905.39817.CE862800@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Apr 5 06:51:09 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 06:51:09 +0000 Subject: [openssl-commits] Build failed: openssl master.2564 Message-ID: <20160405065109.7825.87182.D407E8E1@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Apr 5 07:40:51 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 07:40:51 +0000 Subject: [openssl-commits] Build failed: openssl master.2565 Message-ID: <20160405074051.28265.62771.9428B34B@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Apr 5 08:38:09 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 08:38:09 +0000 Subject: [openssl-commits] Build failed: openssl master.2566 Message-ID: <20160405083806.49897.65537.6BFC9BED@appveyor.com> An HTML attachment was scrubbed... URL: From emilia at openssl.org Tue Apr 5 11:52:40 2016 From: emilia at openssl.org (Emilia Kasper) Date: Tue, 05 Apr 2016 11:52:40 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459857160.145677.4985.nullmailer@dev.openssl.org> The branch master has been updated via 453dfd8d5ee0893146e0fb61a5978ab59ba95c01 (commit) from 173f613b6a9029f34454b642ee4f3db6c6566fcb (commit) - Log ----------------------------------------------------------------- commit 453dfd8d5ee0893146e0fb61a5978ab59ba95c01 Author: Emilia Kasper Date: Thu Mar 17 15:14:30 2016 +0100 New SSL test framework Currently, SSL tests are configured via command-line switches to ssltest.c. This results in a lot of duplication between ssltest.c and apps, and a complex setup. ssltest.c is also simply old and needs maintenance. Instead, we already have a way to configure SSL servers and clients, so we leverage that. SSL tests can now be configured from a configuration file. Test servers and clients are configured using the standard ssl_conf module. Additional test settings are configured via a test configuration. Moreover, since the CONF language involves unnecessary boilerplate, the test conf itself is generated from a shorter Perl syntax. The generated testcase files are checked in to the repo to make it easier to verify that the intended test cases are in fact run; and to simplify debugging failures. To demonstrate the approach, min/max protocol tests are converted to the new format. This change also fixes MinProtocol and MaxProtocol handling. It was previously requested that an SSL_CTX have both the server and client flags set for these commands; this clearly can never work. Guide to this PR: - test/ssl_test.c - test framework - test/ssl_test_ctx.* - test configuration structure - test/handshake_helper.* - new SSL test handshaking code - test/ssl-tests/ - test configurations - test/generate_ssl_tests.pl - script for generating CONF-style test configurations from perl inputs Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: Configurations/unix-Makefile.tmpl | 9 +- ssl/ssl_conf.c | 4 +- test/Makefile.in | 26 +- test/README.ssltest.md | 139 + test/build.info | 13 +- test/generate_ssl_tests.pl | 104 + test/handshake_helper.c | 239 + test/handshake_helper.h | 35 + test/recipes/80-test_ssl.t | 54 +- test/recipes/80-test_ssl_new.t | 80 + test/recipes/80-test_ssl_test_ctx.t | 12 + test/ssl-tests/01-simple.conf | 56 + test/ssl-tests/01-simple.conf.in | 27 + test/ssl-tests/02-protocol-version.conf | 10697 +++++++++++++++++++++++++++ test/ssl-tests/02-protocol-version.conf.in | 115 + test/ssl-tests/ssltests_base.pm | 17 + test/ssl_test.c | 217 + test/ssl_test.tmpl | 27 + test/ssl_test_ctx.c | 205 + test/ssl_test_ctx.h | 53 + test/ssl_test_ctx_test.c | 179 + test/ssl_test_ctx_test.conf | 18 + test/testutil.c | 49 +- test/testutil.h | 13 +- 24 files changed, 12319 insertions(+), 69 deletions(-) create mode 100644 test/README.ssltest.md create mode 100644 test/generate_ssl_tests.pl create mode 100644 test/handshake_helper.c create mode 100644 test/handshake_helper.h create mode 100644 test/recipes/80-test_ssl_new.t create mode 100644 test/recipes/80-test_ssl_test_ctx.t create mode 100644 test/ssl-tests/01-simple.conf create mode 100644 test/ssl-tests/01-simple.conf.in create mode 100644 test/ssl-tests/02-protocol-version.conf create mode 100644 test/ssl-tests/02-protocol-version.conf.in create mode 100644 test/ssl-tests/ssltests_base.pm create mode 100644 test/ssl_test.c create mode 100644 test/ssl_test.tmpl create mode 100644 test/ssl_test_ctx.c create mode 100644 test/ssl_test_ctx.h create mode 100644 test/ssl_test_ctx_test.c create mode 100644 test/ssl_test_ctx_test.conf diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 8da9a4c..9c8a461 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -711,7 +711,8 @@ dist: # Helper targets ##################################################### -link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/util/shlib_wrap.sh +link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/util/shlib_wrap.sh \ + $(BLDDIR)/test/generate_ssl_tests.pl $(BLDDIR)/util/opensslwrap.sh: configdata.pm @if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \ @@ -723,7 +724,11 @@ $(BLDDIR)/util/shlib_wrap.sh: configdata.pm mkdir -p "$(BLDDIR)/util"; \ ln -sf "../$(SRCDIR)/util/shlib_wrap.sh" "$(BLDDIR)/util"; \ fi - +$(BLDDIR)/test/generate_ssl_tests.pl: configdata.pm + @if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \ + mkdir -p "$(BLDDIR)/test"; \ + ln -sf "../$(SRCDIR)/test/generate_ssl_tests.pl" "$(BLDDIR)/test"; \ + fi FORCE: # Building targets ################################################### diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 77fc437..fa0e353 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -594,8 +594,8 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { #endif SSL_CONF_CMD_STRING(CipherString, "cipher", 0), SSL_CONF_CMD_STRING(Protocol, NULL, 0), - SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CLIENT), - SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CLIENT), + SSL_CONF_CMD_STRING(MinProtocol, "min_protocol", 0), + SSL_CONF_CMD_STRING(MaxProtocol, "max_protocol", 0), SSL_CONF_CMD_STRING(Options, NULL, 0), SSL_CONF_CMD_STRING(VerifyMode, NULL, 0), SSL_CONF_CMD(Certificate, "cert", SSL_CONF_FLAG_CERTIFICATE, diff --git a/test/Makefile.in b/test/Makefile.in index ee66729..aadf2c7 100644 --- a/test/Makefile.in +++ b/test/Makefile.in @@ -85,6 +85,8 @@ CTTEST= ct_test THREADSTEST= threadstest AFALGTEST= afalgtest D2ITEST = d2i_test +SSLTESTCTXTEST = ssl_test_ctx_test +NEWSSLTEST = ssl_test TESTS= alltests @@ -107,7 +109,8 @@ EXE= $(NPTEST)$(EXE_EXT) $(MEMLEAKTEST)$(EXE_EXT) \ $(CONSTTIMETEST)$(EXE_EXT) $(VERIFYEXTRATEST)$(EXE_EXT) \ $(CLIENTHELLOTEST)$(EXE_EXT) $(PACKETTEST)$(EXE_EXT) $(ASYNCTEST)$(EXE_EXT) \ $(DTLSV1LISTENTEST)$(EXE_EXT) $(CTTEST)$(EXE_EXT) $(THREADSTEST)$(EXE_EXT) \ - $(AFALGTEST)$(EXE_EXT) $(D2ITEST)$(EXE_EXT) + $(AFALGTEST)$(EXE_EXT) $(D2ITEST)$(EXE_EXT) $(SSLTESTCTXTEST)$(EXE_EXT) \ + $(NEWSSLTEST)$(EXE_EXT) # $(METHTEST)$(EXE_EXT) @@ -125,7 +128,8 @@ OBJ= $(NPTEST).o $(MEMLEAKTEST).o \ $(HEARTBEATTEST).o $(P5_CRPT2_TEST).o \ $(CONSTTIMETEST).o $(VERIFYEXTRATEST).o $(CLIENTHELLOTEST).o \ $(PACKETTEST).o $(ASYNCTEST).o $(DTLSV1LISTENTEST).o $(CTTEST).o \ - $(THREADSTEST).o testutil.o $(AFALGTEST).o $(D2ITEST).o + $(THREADSTEST).o testutil.o $(AFALGTEST).o $(D2ITEST).o ssl_test_ctx.o \ + $(SSLTESTCTXTEST).o $(NEWSSLTEST).o handshake_helper.o SRC= $(NPTEST).c $(MEMLEAKTEST).c \ $(BNTEST).c $(ECTEST).c \ @@ -140,9 +144,10 @@ SRC= $(NPTEST).c $(MEMLEAKTEST).c \ $(HEARTBEATTEST).c $(P5_CRPT2_TEST).c \ $(CONSTTIMETEST).c $(VERIFYEXTRATEST).c $(CLIENTHELLOTEST).c \ $(PACKETTEST).c $(ASYNCTEST).c $(DTLSV1LISTENTEST).c $(CTTEST).c \ - $(THREADSTEST).c testutil.c $(AFALGTEST).c $(D2ITEST).c + $(THREADSTEST).c testutil.c $(AFALGTEST).c $(D2ITEST).c ssl_test_ctx.c \ + $(SSLTESTCTXTEST).c $(NEWSSLTEST).c handshake_helper.c -HEADER= testutil.h +HEADER= testutil.h ssl_test_ctx.h handshake_helper.h ALL= $(GENERAL) $(SRC) $(HEADER) @@ -389,4 +394,17 @@ $(AFALGTEST)$(EXE_EXT): $(AFALGTEST).o $(DLIBCRYPTO) $(D2ITEST)$(EXE_EXT): $(D2ITEST).o $(DLIBCRYPTO) testutil.o @target=$(D2ITEST) testutil=testutil.o; $(BUILD_CMD) +$(SSLTESTCTXTEST)$(EXE_EXT): $(SSLTESTCTXTEST).o testutil.o $(DLIBCRYPTO) + @target=$(SSLTESTCTXTEST); $(BUILD_CMD) + +$(SSLTESTCTXTEST)$(EXE_EXT): $(SSLTESTCTXTEST).o testutil.o ssl_test_ctx.o \ + $(DLIBCRYPTO) + @target=$(SSLTESTCTXTEST) testutil="testutil.o ssl_test_ctx.o"; \ + $(BUILD_CMD) + +$(NEWSSLTEST)$(EXE_EXT): $(NEWSSLTEST).o testutil.o ssl_test_ctx.o \ + handshake_helper.o $(DLIBSSL) $(DLIBCRYPTO) + @target=$(NEWSSLTEST) testutil="testutil.o ssl_test_ctx.o \ + handshake_helper.o"; $(BUILD_CMD) + # DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/test/README.ssltest.md b/test/README.ssltest.md new file mode 100644 index 0000000..b65a0d7 --- /dev/null +++ b/test/README.ssltest.md @@ -0,0 +1,139 @@ +# SSL tests + +SSL testcases are configured in the `ssl-tests` directory. + +Each `ssl_*.conf.in` file contains a number of test configurations. These files +are used to generate testcases in the OpenSSL CONF format. + +The precise test output can be dependent on the library configuration. The test +harness generates the output files on the fly. + +However, for verification, we also include checked-in configuration outputs +corresponding to the default configuration. These testcases live in +`test/ssl-tests/*.conf` files. Therefore, whenever you're adding or updating a +generated test, you should run + +``` +$ ./config +$ cd test +$ TOP=.. perl -I testlib/ generate_ssl_tests.pl ssl-tests/my.conf.in \ + > ssl-tests/my.conf +``` + +where `my.conf.in` is your test input file. + +For example, to generate the test cases in `ssl-tests/01-simple.conf.in`, do + +``` +$ TOP=.. perl generate_ssl_tests.pl ssl-tests/01-simple.conf.in > ssl-tests/01-simple.conf +``` + +For more details, see `ssl-tests/01-simple.conf.in` for an example. + +## Configuring the test + +First, give your test a name. The names do not have to be unique. + +An example test input looks like this: + +``` + { + name => "test-default", + server => { "CipherString" => "DEFAULT" }, + client => { "CipherString" => "DEFAULT" }, + test => { "ExpectedResult" => "Success" }, + } +``` + +The test section supports the following options: + +* ExpectedResult - expected handshake outcome. One of + - Success - handshake success + - ServerFail - serverside handshake failure + - ClientFail - clientside handshake failure + - InternalError - some other error + +* ClientAlert, ServerAlert - expected alert. See `ssl_test_ctx.c` for known + values. + +* Protocol - expected negotiated protocol. One of + SSLv3, TLSv1, TLSv1.1, TLSv1.2. + +## Configuring the client and server + +The client and server configurations can be any valid `SSL_CTX` +configurations. For details, see the manpages for `SSL_CONF_cmd`. + +Give your configurations as a dictionary of CONF commands, e.g. + +``` +server => { + "CipherString" => "DEFAULT", + "MinProtocol" => "TLSv1", +} +``` + +### Default server and client configurations + +The default server certificate and CA files are added to the configurations +automatically. Server certificate verification is requested by default. + +You can override these options by redefining them: + +``` +client => { + "VerifyCAFile" => "/path/to/custom/file" +} +``` + +or by deleting them + +``` +client => { + "VerifyCAFile" => undef +} +``` + +## Adding a test to the test harness + +Add your configuration file to `test/recipes/80-test_ssl_new.t`. + +## Running the tests with the test harness + +``` +HARNESS_VERBOSE=yes make TESTS=test_ssl_new test +``` + +## Running a test manually + +These steps are only needed during development. End users should run `make test` +or follow the instructions above to run the SSL test suite. + +To run an SSL test manually from the command line, the `TEST_CERTS_DIR` +environment variable to point to the location of the certs. E.g., from the root +OpenSSL directory, do + +``` +$ TEST_CERTS_DIR=test/certs test/ssl_test test/ssl-tests/01-simple.conf +``` + +or for shared builds + +``` +$ TEST_CERTS_DIR=test/certs util/shlib_wrap.sh test/ssl_test \ + test/ssl-tests/01-simple.conf +``` + +Note that the test expectations sometimes depend on the Configure settings. For +example, the negotiated protocol depends on the set of available (enabled) +protocols: a build with `enable-ssl3` has different test expectations than a +build with `no-ssl3`. + +The Perl test harness automatically generates expected outputs, so users who +just run `make test` do not need any extra steps. + +However, when running a test manually, keep in mind that the repository version +of the generated `test/ssl-tests/*.conf` correspond to expected outputs in with +the default Configure options. To run `ssl_test` manually from the command line +in a build with a different configuration, you may need to generate the right +`*.conf` file from the `*.conf.in` input first. diff --git a/test/build.info b/test/build.info index 083412c..2bbf1ba 100644 --- a/test/build.info +++ b/test/build.info @@ -14,7 +14,8 @@ PROGRAMS=\ danetest heartbeat_test p5_crpt2_test \ constant_time_test verify_extra_test clienthellotest \ packettest asynctest secmemtest srptest memleaktest \ - dtlsv1listentest ct_test threadstest afalgtest d2i_test + dtlsv1listentest ct_test threadstest afalgtest d2i_test \ + ssl_test_ctx_test ssl_test SOURCE[aborttest]=aborttest.c INCLUDE[aborttest]={- rel2abs(catdir($builddir,"../include")) -} ../include @@ -224,4 +225,14 @@ SOURCE[d2i_test]=d2i_test.c testutil.c INCLUDE[d2i_test]={- rel2abs(catdir($builddir,"../include")) -} .. ../include DEPEND[d2i_test]=../libcrypto +SOURCE[ssl_test_ctx_test]=ssl_test_ctx_test.c ssl_test_ctx.c testutil.c +INCLUDE[ssl_test_ctx_test]={- rel2abs(catdir($builddir,"../include")) -} .. ../include +DEPEND[ssl_test_ctx_test]=../libcrypto + +SOURCE[ssl_test]=ssl_test.c ssl_test_ctx.c testutil.c handshake_helper.c +INCLUDE[ssl_test]={- rel2abs(catdir($builddir,"../include")) -} .. ../include +DEPEND[ssl_test]=../libcrypto ../libssl + INCLUDE[testutil.o]=.. +INCLUDE[ssl_test_ctx.o]={- rel2abs(catdir($builddir,"../include")) -} ../include +INCLUDE[handshake_helper.o]={- rel2abs(catdir($builddir,"../include")) -} ../include diff --git a/test/generate_ssl_tests.pl b/test/generate_ssl_tests.pl new file mode 100644 index 0000000..713fb3f --- /dev/null +++ b/test/generate_ssl_tests.pl @@ -0,0 +1,104 @@ +#! /usr/bin/perl +# -*- mode: perl; -*- + +## SSL testcase generator + +use strict; +use warnings; + +use File::Basename; +use File::Spec::Functions; + +use OpenSSL::Test qw/srctop_dir srctop_file/; +use OpenSSL::Test::Utils; + +# This block needs to run before 'use lib srctop_dir' directives. +BEGIN { + OpenSSL::Test::setup("no_test_here"); +} + +use lib srctop_dir("util"); # for with_fallback +use lib srctop_dir("test", "ssl-tests"); # for ssltests_base + +use with_fallback qw(Text::Template); + +use vars qw/@ISA/; +push (@ISA, qw/Text::Template/); + +use ssltests_base; + +sub print_templates { + my $source = srctop_file("test", "ssl_test.tmpl"); + my $template = Text::Template->new(TYPE => 'FILE', SOURCE => $source); + + print "# Generated with generate_ssl_tests.pl\n\n"; + + my $num = scalar @ssltests::tests; + + # Add the implicit base configuration. + foreach my $test (@ssltests::tests) { + $test->{"server"} = { (%ssltests::base_server, %{$test->{"server"}}) }; + $test->{"client"} = { (%ssltests::base_client, %{$test->{"client"}}) }; + } + + # ssl_test expects to find a + # + # num_tests = n + # + # directive in the file. It'll then look for configuration directives + # for n tests, that each look like this: + # + # test-n = test-section + # + # [test-section] + # (SSL modules for client and server configuration go here.) + # + # [test-n] + # (Test configuration goes here.) + print "num_tests = $num\n\n"; + + # The conf module locations must come before everything else, because + # they look like + # + # test-n = test-section + # + # and you can't mix and match them with sections. + my $idx = 0; + + foreach my $test (@ssltests::tests) { + my $testname = "${idx}-" . $test->{'name'}; + print "test-$idx = $testname\n"; + $idx++; + } + + $idx = 0; + + foreach my $test (@ssltests::tests) { + my $testname = "${idx}-" . $test->{'name'}; + my $text = $template->fill_in( + HASH => [{ idx => $idx, testname => $testname } , $test], + DELIMITERS => [ "{-", "-}" ]); + print "# ===========================================================\n\n"; + print "$text\n"; + $idx++; + } +} + +# Shamelessly copied from Configure. +sub read_config { + my $fname = shift; + open(INPUT, "< $fname") + or die "Can't open input file '$fname'!\n"; + local $/ = undef; + my $content = ; + close(INPUT); + eval $content; + warn $@ if $@; +} + +my $input_file = shift; +# Reads the tests into ssltests::tests. +read_config($input_file); +print_templates(); + +1; diff --git a/test/handshake_helper.c b/test/handshake_helper.c new file mode 100644 index 0000000..4682d45 --- /dev/null +++ b/test/handshake_helper.c @@ -0,0 +1,239 @@ +/* + * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL licenses, (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * https://www.openssl.org/source/license.html + * or in the file LICENSE in the source distribution. + */ + +#include + +#include +#include + +#include "handshake_helper.h" + +/* + * Since there appears to be no way to extract the sent/received alert + * from the SSL object directly, we use the info callback and stash + * the result in ex_data. + */ +typedef struct handshake_ex_data { + int alert_sent; + int alert_received; +} HANDSHAKE_EX_DATA; + +static int ex_data_idx; + +static void info_callback(const SSL *s, int where, int ret) +{ + if (where & SSL_CB_ALERT) { + HANDSHAKE_EX_DATA *ex_data = + (HANDSHAKE_EX_DATA*)(SSL_get_ex_data(s, ex_data_idx)); + if (where & SSL_CB_WRITE) { + ex_data->alert_sent = ret; + } else { + ex_data->alert_received = ret; + } + } +} + +typedef enum { + PEER_SUCCESS, + PEER_RETRY, + PEER_ERROR +} peer_status_t; + +static peer_status_t do_handshake_step(SSL *ssl) +{ + int ret; + + ret = SSL_do_handshake(ssl); + + if (ret == 1) { + return PEER_SUCCESS; + } else if (ret == 0) { + return PEER_ERROR; + } else { + int error = SSL_get_error(ssl, ret); + /* Memory bios should never block with SSL_ERROR_WANT_WRITE. */ + if (error == SSL_ERROR_WANT_READ) + return PEER_RETRY; + else + return PEER_ERROR; + } +} + +typedef enum { + /* Both parties succeeded. */ + HANDSHAKE_SUCCESS, + /* Client errored. */ + CLIENT_ERROR, + /* Server errored. */ + SERVER_ERROR, + /* Peers are in inconsistent state. */ + INTERNAL_ERROR, + /* One or both peers not done. */ + HANDSHAKE_RETRY +} handshake_status_t; + +/* + * Determine the handshake outcome. + * last_status: the status of the peer to have acted last. + * previous_status: the status of the peer that didn't act last. + * client_spoke_last: 1 if the client went last. + */ +static handshake_status_t handshake_status(peer_status_t last_status, + peer_status_t previous_status, + int client_spoke_last) +{ + switch (last_status) { + case PEER_SUCCESS: + switch (previous_status) { + case PEER_SUCCESS: + /* Both succeeded. */ + return HANDSHAKE_SUCCESS; + case PEER_RETRY: + /* Let the first peer finish. */ + return HANDSHAKE_RETRY; + case PEER_ERROR: + /* + * Second peer succeeded despite the fact that the first peer + * already errored. This shouldn't happen. + */ + return INTERNAL_ERROR; + } + + case PEER_RETRY: + if (previous_status == PEER_RETRY) { + /* Neither peer is done. */ + return HANDSHAKE_RETRY; + } else { + /* + * Deadlock: second peer is waiting for more input while first + * peer thinks they're done (no more input is coming). + */ + return INTERNAL_ERROR; + } + case PEER_ERROR: + switch (previous_status) { + case PEER_SUCCESS: + /* + * First peer succeeded but second peer errored. + * TODO(emilia): we should be able to continue here (with some + * application data?) to ensure the first peer receives the + * alert / close_notify. + */ + return client_spoke_last ? CLIENT_ERROR : SERVER_ERROR; + case PEER_RETRY: + /* We errored; let the peer finish. */ + return HANDSHAKE_RETRY; + case PEER_ERROR: + /* Both peers errored. Return the one that errored first. */ + return client_spoke_last ? SERVER_ERROR : CLIENT_ERROR; + } + } + /* Control should never reach here. */ + return INTERNAL_ERROR; +} + +HANDSHAKE_RESULT do_handshake(SSL_CTX *server_ctx, SSL_CTX *client_ctx) +{ + SSL *server, *client; + BIO *client_to_server, *server_to_client; + HANDSHAKE_EX_DATA server_ex_data, client_ex_data; + HANDSHAKE_RESULT ret; + int client_turn = 1; + peer_status_t client_status = PEER_RETRY, server_status = PEER_RETRY; + handshake_status_t status = HANDSHAKE_RETRY; + + server = SSL_new(server_ctx); + client = SSL_new(client_ctx); + OPENSSL_assert(server != NULL && client != NULL); + + memset(&server_ex_data, 0, sizeof(server_ex_data)); + memset(&client_ex_data, 0, sizeof(client_ex_data)); + memset(&ret, 0, sizeof(ret)); + ret.result = SSL_TEST_INTERNAL_ERROR; + + client_to_server = BIO_new(BIO_s_mem()); + server_to_client = BIO_new(BIO_s_mem()); + + OPENSSL_assert(client_to_server != NULL && server_to_client != NULL); + + /* Non-blocking bio. */ + BIO_set_nbio(client_to_server, 1); + BIO_set_nbio(server_to_client, 1); + + SSL_set_connect_state(client); + SSL_set_accept_state(server); + + /* The bios are now owned by the SSL object. */ + SSL_set_bio(client, server_to_client, client_to_server); + OPENSSL_assert(BIO_up_ref(server_to_client) > 0); + OPENSSL_assert(BIO_up_ref(client_to_server) > 0); + SSL_set_bio(server, client_to_server, server_to_client); + + ex_data_idx = SSL_get_ex_new_index(0, "ex data", NULL, NULL, NULL); + OPENSSL_assert(ex_data_idx >= 0); + + OPENSSL_assert(SSL_set_ex_data(server, ex_data_idx, + &server_ex_data) == 1); + OPENSSL_assert(SSL_set_ex_data(client, ex_data_idx, + &client_ex_data) == 1); + + SSL_set_info_callback(server, &info_callback); + SSL_set_info_callback(client, &info_callback); + + /* + * Half-duplex handshake loop. + * Client and server speak to each other synchronously in the same process. + * We use non-blocking BIOs, so whenever one peer blocks for read, it + * returns PEER_RETRY to indicate that it's the other peer's turn to write. + * The handshake succeeds once both peers have succeeded. If one peer + * errors out, we also let the other peer retry (and presumably fail). + */ + for(;;) { + if (client_turn) { + client_status = do_handshake_step(client); + status = handshake_status(client_status, server_status, + 1 /* client went last */); + } else { + server_status = do_handshake_step(server); + status = handshake_status(server_status, client_status, + 0 /* server went last */); + } + + switch (status) { + case HANDSHAKE_SUCCESS: + ret.result = SSL_TEST_SUCCESS; + goto err; + case CLIENT_ERROR: + ret.result = SSL_TEST_CLIENT_FAIL; + goto err; + case SERVER_ERROR: + ret.result = SSL_TEST_SERVER_FAIL; + goto err; + case INTERNAL_ERROR: + ret.result = SSL_TEST_INTERNAL_ERROR; + goto err; + case HANDSHAKE_RETRY: + /* Continue. */ + client_turn ^= 1; + break; + } + } + err: + ret.server_alert_sent = server_ex_data.alert_sent; + ret.server_alert_received = client_ex_data.alert_received; + ret.client_alert_sent = client_ex_data.alert_sent; + ret.client_alert_received = server_ex_data.alert_received; + ret.server_protocol = SSL_version(server); + ret.client_protocol = SSL_version(client); + + SSL_free(server); + SSL_free(client); + return ret; +} diff --git a/test/handshake_helper.h b/test/handshake_helper.h new file mode 100644 index 0000000..56dfb19 --- /dev/null +++ b/test/handshake_helper.h @@ -0,0 +1,35 @@ +/* + * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL licenses, (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * https://www.openssl.org/source/license.html + * or in the file LICENSE in the source distribution. + */ + +#ifndef HEADER_HANDSHAKE_HELPER_H +#define HEADER_HANDSHAKE_HELPER_H + +#include "ssl_test_ctx.h" + +typedef struct handshake_result { + ssl_test_result_t result; + /* These alerts are in the 2-byte format returned by the info_callback. */ + /* Alert sent by the client; 0 if no alert. */ + int client_alert_sent; + /* Alert received by the server; 0 if no alert. */ + int client_alert_received; + /* Alert sent by the server; 0 if no alert. */ + int server_alert_sent; + /* Alert received by the client; 0 if no alert. */ + int server_alert_received; + /* Negotiated protocol. On success, these should always match. */ + int server_protocol; + int client_protocol; +} HANDSHAKE_RESULT; + +/* Do a handshake and report some information about the result. */ +HANDSHAKE_RESULT do_handshake(SSL_CTX *server_ctx, SSL_CTX *client_ctx); + +#endif /* HEADER_HANDSHAKE_HELPER_H */ diff --git a/test/recipes/80-test_ssl.t b/test/recipes/80-test_ssl.t index 45750b4..8cb33a1 100644 --- a/test/recipes/80-test_ssl.t +++ b/test/recipes/80-test_ssl.t @@ -66,10 +66,13 @@ my $P2intermediate="tmp_intP2.ss"; my $server_sess="server.ss"; my $client_sess="client.ss"; +# ssltest.c is deprecated in favour of the new framework in ssl_test.c +# If you're adding tests here, you probably want to convert them to the +# new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead. plan tests => 1 # For testss + 1 # For ssltest -test_cipherlist - + 15 # For the first testssl + + 14 # For the first testssl + 16 # For the first testsslproxy + 16 # For the second testsslproxy ; @@ -712,55 +715,6 @@ sub testssl { } }; - subtest 'TLS Version min/max tests' => sub { - my @protos; - push(@protos, "ssl3") unless $no_ssl3; - push(@protos, "tls1") unless $no_tls1; - push(@protos, "tls1.1") unless $no_tls1_1; - push(@protos, "tls1.2") unless $no_tls1_2; - my @minprotos = (undef, @protos); - my @maxprotos = (@protos, undef); - my @shdprotos = (@protos, $protos[$#protos]); - my $n = ((@protos+2) * (@protos+3))/2 - 2; - my $ntests = $n * $n; - plan tests => $ntests; - SKIP: { - skip "TLS disabled", 1 if $ntests == 1; - - my $should; - for (my $smin = 0; $smin < @minprotos; ++$smin) { - for (my $smax = $smin ? $smin - 1 : 0; $smax < @maxprotos; ++$smax) { - for (my $cmin = 0; $cmin < @minprotos; ++$cmin) { - for (my $cmax = $cmin ? $cmin - 1 : 0; $cmax < @maxprotos; ++$cmax) { - if ($cmax < $smin-1) { - $should = "fail-server"; - } elsif ($smax < $cmin-1) { - $should = "fail-client"; - } elsif ($cmax > $smax) { - $should = $shdprotos[$smax]; - } else { - $should = $shdprotos[$cmax]; - } - - my @args = @ssltest; - push(@args, "-should_negotiate", $should); - push(@args, "-server_min_proto", $minprotos[$smin]) - if (defined($minprotos[$smin])); - push(@args, "-server_max_proto", $maxprotos[$smax]) - if (defined($maxprotos[$smax])); - push(@args, "-client_min_proto", $minprotos[$cmin]) - if (defined($minprotos[$cmin])); - push(@args, "-client_max_proto", $maxprotos[$cmax]) - if (defined($maxprotos[$cmax])); - my $ok = run(test[@args]); - if (! $ok) { - print STDERR "\nsmin=$smin, smax=$smax, cmin=$cmin, cmax=$cmax\n"; - print STDERR "\nFailed: @args\n"; - } - ok($ok); - }}}}} - }; - subtest 'DTLS Version min/max tests' => sub { my @protos; push(@protos, "dtls1") unless ($no_dtls1 || $no_dtls); diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t new file mode 100644 index 0000000..da98f18 --- /dev/null +++ b/test/recipes/80-test_ssl_new.t @@ -0,0 +1,80 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use File::Basename; +use File::Compare qw/compare_text/; + +use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/; +use OpenSSL::Test::Utils qw/disabled alldisabled available_protocols/; + +setup("test_ssl_new"); + +$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs"); + +my @conf_srcs = glob(srctop_file("test", "ssl-tests", "*.conf")); +my @conf_files = map {basename($_)} @conf_srcs; + +# 02-protocol-version.conf test results depend on the configuration of enabled +# protocols. We only verify generated sources in the default configuration. +my $is_default = (disabled("ssl3") && !disabled("tls1") && + !disabled("tls1_1") && !disabled("tls1_2")); + +my %conf_dependent_tests = ("02-protocol-version.conf" => 1); + +foreach my $conf (@conf_files) { + subtest "Test configuration $conf" => sub { + test_conf($conf, $conf_dependent_tests{$conf} ? 0 : 1); + } +} + +# We hard-code the number of tests to double-check that the globbing above +# finds all files as expected. +plan tests => 2; # = scalar @conf_files + +sub test_conf { + plan tests => 3; + + my ($conf, $check_source) = @_; + + my $conf_file = srctop_file("test", "ssl-tests", $conf); + my $tmp_file = "${conf}.$$.tmp"; + my $run_test = 1; + + SKIP: { + # "Test" 1. Generate the source. + my $input_file = $conf_file . ".in"; + + skip 'failure', 2 unless + ok(run(perltest(["generate_ssl_tests.pl", $input_file], + stdout => $tmp_file)), + "Getting output from generate_ssl_tests.pl."); + + SKIP: { + # Test 2. Compare against existing output in test/ssl_tests.conf. + skip "Skipping generated source test for $conf", 1 + if !$check_source; + + $run_test = is(cmp_text($tmp_file, $conf_file), 0, + "Comparing generated sources."); + } + + # Test 3. Run the test. + my $no_tls = alldisabled(available_protocols("tls")); + skip "No TLS tests available; skipping tests", 1 if $no_tls; + skip "Stale sources; skipping tests", 1 if !$run_test; + + ok(run(test(["ssl_test", $tmp_file])), "running ssl_test $conf"); + } + + unlink glob $tmp_file; +} + +sub cmp_text { + return compare_text(@_, sub { + $_[0] =~ s/\R//g; + $_[1] =~ s/\R//g; + return $_[0] ne $_[1]; + }); +} diff --git a/test/recipes/80-test_ssl_test_ctx.t b/test/recipes/80-test_ssl_test_ctx.t new file mode 100644 index 0000000..210e4e8 --- /dev/null +++ b/test/recipes/80-test_ssl_test_ctx.t @@ -0,0 +1,12 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use OpenSSL::Test qw/:DEFAULT srctop_file/; + +setup("test_ssl_test_ctx"); + +plan tests => 1; +ok(run(test(["ssl_test_ctx_test", srctop_file("test", "ssl_test_ctx_test.conf")])), + "running ssl_test_ctx_test ssl_test_ctx_test.conf"); diff --git a/test/ssl-tests/01-simple.conf b/test/ssl-tests/01-simple.conf new file mode 100644 index 0000000..8c8067d --- /dev/null +++ b/test/ssl-tests/01-simple.conf @@ -0,0 +1,56 @@ +# Generated with generate_ssl_tests.pl + +num_tests = 2 + +test-0 = 0-default +test-1 = 1-verify-cert +# =========================================================== + +[0-default] +ssl_conf = 0-default-ssl + +[0-default-ssl] +server = 0-default-server +client = 0-default-client + +[0-default-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[0-default-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-0] +ExpectedResult = Success + + +# =========================================================== + +[1-verify-cert] +ssl_conf = 1-verify-cert-ssl + +[1-verify-cert-ssl] +server = 1-verify-cert-server +client = 1-verify-cert-client + +[1-verify-cert-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[1-verify-cert-client] +CipherString = DEFAULT +VerifyMode = Peer + + +[test-1] +ClientAlert = UnknownCA +ExpectedResult = ClientFail + + diff --git a/test/ssl-tests/01-simple.conf.in b/test/ssl-tests/01-simple.conf.in new file mode 100644 index 0000000..a152f66 --- /dev/null +++ b/test/ssl-tests/01-simple.conf.in @@ -0,0 +1,27 @@ +# -*- mode: perl; -*- + +## SSL test configurations + +package ssltests; + +our @tests = ( + { + name => "default", + server => { }, + client => { }, + test => { "ExpectedResult" => "Success" }, + }, + + { + name => "verify-cert", + server => { }, + client => { + # Don't set up the client root file. + "VerifyCAFile" => undef, + }, + test => { + "ExpectedResult" => "ClientFail", + "ClientAlert" => "UnknownCA", + }, + }, +); diff --git a/test/ssl-tests/02-protocol-version.conf b/test/ssl-tests/02-protocol-version.conf new file mode 100644 index 0000000..dc46bfa --- /dev/null +++ b/test/ssl-tests/02-protocol-version.conf @@ -0,0 +1,10697 @@ +# Generated with generate_ssl_tests.pl + +num_tests = 361 + +test-0 = 0-version-negotiation +test-1 = 1-version-negotiation +test-2 = 2-version-negotiation +test-3 = 3-version-negotiation +test-4 = 4-version-negotiation +test-5 = 5-version-negotiation +test-6 = 6-version-negotiation +test-7 = 7-version-negotiation +test-8 = 8-version-negotiation +test-9 = 9-version-negotiation +test-10 = 10-version-negotiation +test-11 = 11-version-negotiation +test-12 = 12-version-negotiation +test-13 = 13-version-negotiation +test-14 = 14-version-negotiation +test-15 = 15-version-negotiation +test-16 = 16-version-negotiation +test-17 = 17-version-negotiation +test-18 = 18-version-negotiation +test-19 = 19-version-negotiation +test-20 = 20-version-negotiation +test-21 = 21-version-negotiation +test-22 = 22-version-negotiation +test-23 = 23-version-negotiation +test-24 = 24-version-negotiation +test-25 = 25-version-negotiation +test-26 = 26-version-negotiation +test-27 = 27-version-negotiation +test-28 = 28-version-negotiation +test-29 = 29-version-negotiation +test-30 = 30-version-negotiation +test-31 = 31-version-negotiation +test-32 = 32-version-negotiation +test-33 = 33-version-negotiation +test-34 = 34-version-negotiation +test-35 = 35-version-negotiation +test-36 = 36-version-negotiation +test-37 = 37-version-negotiation +test-38 = 38-version-negotiation +test-39 = 39-version-negotiation +test-40 = 40-version-negotiation +test-41 = 41-version-negotiation +test-42 = 42-version-negotiation +test-43 = 43-version-negotiation +test-44 = 44-version-negotiation +test-45 = 45-version-negotiation +test-46 = 46-version-negotiation +test-47 = 47-version-negotiation +test-48 = 48-version-negotiation +test-49 = 49-version-negotiation +test-50 = 50-version-negotiation +test-51 = 51-version-negotiation +test-52 = 52-version-negotiation +test-53 = 53-version-negotiation +test-54 = 54-version-negotiation +test-55 = 55-version-negotiation +test-56 = 56-version-negotiation +test-57 = 57-version-negotiation +test-58 = 58-version-negotiation +test-59 = 59-version-negotiation +test-60 = 60-version-negotiation +test-61 = 61-version-negotiation +test-62 = 62-version-negotiation +test-63 = 63-version-negotiation +test-64 = 64-version-negotiation +test-65 = 65-version-negotiation +test-66 = 66-version-negotiation +test-67 = 67-version-negotiation +test-68 = 68-version-negotiation +test-69 = 69-version-negotiation +test-70 = 70-version-negotiation +test-71 = 71-version-negotiation +test-72 = 72-version-negotiation +test-73 = 73-version-negotiation +test-74 = 74-version-negotiation +test-75 = 75-version-negotiation +test-76 = 76-version-negotiation +test-77 = 77-version-negotiation +test-78 = 78-version-negotiation +test-79 = 79-version-negotiation +test-80 = 80-version-negotiation +test-81 = 81-version-negotiation +test-82 = 82-version-negotiation +test-83 = 83-version-negotiation +test-84 = 84-version-negotiation +test-85 = 85-version-negotiation +test-86 = 86-version-negotiation +test-87 = 87-version-negotiation +test-88 = 88-version-negotiation +test-89 = 89-version-negotiation +test-90 = 90-version-negotiation +test-91 = 91-version-negotiation +test-92 = 92-version-negotiation +test-93 = 93-version-negotiation +test-94 = 94-version-negotiation +test-95 = 95-version-negotiation +test-96 = 96-version-negotiation +test-97 = 97-version-negotiation +test-98 = 98-version-negotiation +test-99 = 99-version-negotiation +test-100 = 100-version-negotiation +test-101 = 101-version-negotiation +test-102 = 102-version-negotiation +test-103 = 103-version-negotiation +test-104 = 104-version-negotiation +test-105 = 105-version-negotiation +test-106 = 106-version-negotiation +test-107 = 107-version-negotiation +test-108 = 108-version-negotiation +test-109 = 109-version-negotiation +test-110 = 110-version-negotiation +test-111 = 111-version-negotiation +test-112 = 112-version-negotiation +test-113 = 113-version-negotiation +test-114 = 114-version-negotiation +test-115 = 115-version-negotiation +test-116 = 116-version-negotiation +test-117 = 117-version-negotiation +test-118 = 118-version-negotiation +test-119 = 119-version-negotiation +test-120 = 120-version-negotiation +test-121 = 121-version-negotiation +test-122 = 122-version-negotiation +test-123 = 123-version-negotiation +test-124 = 124-version-negotiation +test-125 = 125-version-negotiation +test-126 = 126-version-negotiation +test-127 = 127-version-negotiation +test-128 = 128-version-negotiation +test-129 = 129-version-negotiation +test-130 = 130-version-negotiation +test-131 = 131-version-negotiation +test-132 = 132-version-negotiation +test-133 = 133-version-negotiation +test-134 = 134-version-negotiation +test-135 = 135-version-negotiation +test-136 = 136-version-negotiation +test-137 = 137-version-negotiation +test-138 = 138-version-negotiation +test-139 = 139-version-negotiation +test-140 = 140-version-negotiation +test-141 = 141-version-negotiation +test-142 = 142-version-negotiation +test-143 = 143-version-negotiation +test-144 = 144-version-negotiation +test-145 = 145-version-negotiation +test-146 = 146-version-negotiation +test-147 = 147-version-negotiation +test-148 = 148-version-negotiation +test-149 = 149-version-negotiation +test-150 = 150-version-negotiation +test-151 = 151-version-negotiation +test-152 = 152-version-negotiation +test-153 = 153-version-negotiation +test-154 = 154-version-negotiation +test-155 = 155-version-negotiation +test-156 = 156-version-negotiation +test-157 = 157-version-negotiation +test-158 = 158-version-negotiation +test-159 = 159-version-negotiation +test-160 = 160-version-negotiation +test-161 = 161-version-negotiation +test-162 = 162-version-negotiation +test-163 = 163-version-negotiation +test-164 = 164-version-negotiation +test-165 = 165-version-negotiation +test-166 = 166-version-negotiation +test-167 = 167-version-negotiation +test-168 = 168-version-negotiation +test-169 = 169-version-negotiation +test-170 = 170-version-negotiation +test-171 = 171-version-negotiation +test-172 = 172-version-negotiation +test-173 = 173-version-negotiation +test-174 = 174-version-negotiation +test-175 = 175-version-negotiation +test-176 = 176-version-negotiation +test-177 = 177-version-negotiation +test-178 = 178-version-negotiation +test-179 = 179-version-negotiation +test-180 = 180-version-negotiation +test-181 = 181-version-negotiation +test-182 = 182-version-negotiation +test-183 = 183-version-negotiation +test-184 = 184-version-negotiation +test-185 = 185-version-negotiation +test-186 = 186-version-negotiation +test-187 = 187-version-negotiation +test-188 = 188-version-negotiation +test-189 = 189-version-negotiation +test-190 = 190-version-negotiation +test-191 = 191-version-negotiation +test-192 = 192-version-negotiation +test-193 = 193-version-negotiation +test-194 = 194-version-negotiation +test-195 = 195-version-negotiation +test-196 = 196-version-negotiation +test-197 = 197-version-negotiation +test-198 = 198-version-negotiation +test-199 = 199-version-negotiation +test-200 = 200-version-negotiation +test-201 = 201-version-negotiation +test-202 = 202-version-negotiation +test-203 = 203-version-negotiation +test-204 = 204-version-negotiation +test-205 = 205-version-negotiation +test-206 = 206-version-negotiation +test-207 = 207-version-negotiation +test-208 = 208-version-negotiation +test-209 = 209-version-negotiation +test-210 = 210-version-negotiation +test-211 = 211-version-negotiation +test-212 = 212-version-negotiation +test-213 = 213-version-negotiation +test-214 = 214-version-negotiation +test-215 = 215-version-negotiation +test-216 = 216-version-negotiation +test-217 = 217-version-negotiation +test-218 = 218-version-negotiation +test-219 = 219-version-negotiation +test-220 = 220-version-negotiation +test-221 = 221-version-negotiation +test-222 = 222-version-negotiation +test-223 = 223-version-negotiation +test-224 = 224-version-negotiation +test-225 = 225-version-negotiation +test-226 = 226-version-negotiation +test-227 = 227-version-negotiation +test-228 = 228-version-negotiation +test-229 = 229-version-negotiation +test-230 = 230-version-negotiation +test-231 = 231-version-negotiation +test-232 = 232-version-negotiation +test-233 = 233-version-negotiation +test-234 = 234-version-negotiation +test-235 = 235-version-negotiation +test-236 = 236-version-negotiation +test-237 = 237-version-negotiation +test-238 = 238-version-negotiation +test-239 = 239-version-negotiation +test-240 = 240-version-negotiation +test-241 = 241-version-negotiation +test-242 = 242-version-negotiation +test-243 = 243-version-negotiation +test-244 = 244-version-negotiation +test-245 = 245-version-negotiation +test-246 = 246-version-negotiation +test-247 = 247-version-negotiation +test-248 = 248-version-negotiation +test-249 = 249-version-negotiation +test-250 = 250-version-negotiation +test-251 = 251-version-negotiation +test-252 = 252-version-negotiation +test-253 = 253-version-negotiation +test-254 = 254-version-negotiation +test-255 = 255-version-negotiation +test-256 = 256-version-negotiation +test-257 = 257-version-negotiation +test-258 = 258-version-negotiation +test-259 = 259-version-negotiation +test-260 = 260-version-negotiation +test-261 = 261-version-negotiation +test-262 = 262-version-negotiation +test-263 = 263-version-negotiation +test-264 = 264-version-negotiation +test-265 = 265-version-negotiation +test-266 = 266-version-negotiation +test-267 = 267-version-negotiation +test-268 = 268-version-negotiation +test-269 = 269-version-negotiation +test-270 = 270-version-negotiation +test-271 = 271-version-negotiation +test-272 = 272-version-negotiation +test-273 = 273-version-negotiation +test-274 = 274-version-negotiation +test-275 = 275-version-negotiation +test-276 = 276-version-negotiation +test-277 = 277-version-negotiation +test-278 = 278-version-negotiation +test-279 = 279-version-negotiation +test-280 = 280-version-negotiation +test-281 = 281-version-negotiation +test-282 = 282-version-negotiation +test-283 = 283-version-negotiation +test-284 = 284-version-negotiation +test-285 = 285-version-negotiation +test-286 = 286-version-negotiation +test-287 = 287-version-negotiation +test-288 = 288-version-negotiation +test-289 = 289-version-negotiation +test-290 = 290-version-negotiation +test-291 = 291-version-negotiation +test-292 = 292-version-negotiation +test-293 = 293-version-negotiation +test-294 = 294-version-negotiation +test-295 = 295-version-negotiation +test-296 = 296-version-negotiation +test-297 = 297-version-negotiation +test-298 = 298-version-negotiation +test-299 = 299-version-negotiation +test-300 = 300-version-negotiation +test-301 = 301-version-negotiation +test-302 = 302-version-negotiation +test-303 = 303-version-negotiation +test-304 = 304-version-negotiation +test-305 = 305-version-negotiation +test-306 = 306-version-negotiation +test-307 = 307-version-negotiation +test-308 = 308-version-negotiation +test-309 = 309-version-negotiation +test-310 = 310-version-negotiation +test-311 = 311-version-negotiation +test-312 = 312-version-negotiation +test-313 = 313-version-negotiation +test-314 = 314-version-negotiation +test-315 = 315-version-negotiation +test-316 = 316-version-negotiation +test-317 = 317-version-negotiation +test-318 = 318-version-negotiation +test-319 = 319-version-negotiation +test-320 = 320-version-negotiation +test-321 = 321-version-negotiation +test-322 = 322-version-negotiation +test-323 = 323-version-negotiation +test-324 = 324-version-negotiation +test-325 = 325-version-negotiation +test-326 = 326-version-negotiation +test-327 = 327-version-negotiation +test-328 = 328-version-negotiation +test-329 = 329-version-negotiation +test-330 = 330-version-negotiation +test-331 = 331-version-negotiation +test-332 = 332-version-negotiation +test-333 = 333-version-negotiation +test-334 = 334-version-negotiation +test-335 = 335-version-negotiation +test-336 = 336-version-negotiation +test-337 = 337-version-negotiation +test-338 = 338-version-negotiation +test-339 = 339-version-negotiation +test-340 = 340-version-negotiation +test-341 = 341-version-negotiation +test-342 = 342-version-negotiation +test-343 = 343-version-negotiation +test-344 = 344-version-negotiation +test-345 = 345-version-negotiation +test-346 = 346-version-negotiation +test-347 = 347-version-negotiation +test-348 = 348-version-negotiation +test-349 = 349-version-negotiation +test-350 = 350-version-negotiation +test-351 = 351-version-negotiation +test-352 = 352-version-negotiation +test-353 = 353-version-negotiation +test-354 = 354-version-negotiation +test-355 = 355-version-negotiation +test-356 = 356-version-negotiation +test-357 = 357-version-negotiation +test-358 = 358-version-negotiation +test-359 = 359-version-negotiation +test-360 = 360-version-negotiation +# =========================================================== + +[0-version-negotiation] +ssl_conf = 0-version-negotiation-ssl + +[0-version-negotiation-ssl] +server = 0-version-negotiation-server +client = 0-version-negotiation-client + +[0-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[0-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-0] +ExpectedResult = InternalError + + +# =========================================================== + +[1-version-negotiation] +ssl_conf = 1-version-negotiation-ssl + +[1-version-negotiation-ssl] +server = 1-version-negotiation-server +client = 1-version-negotiation-client + +[1-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[1-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-1] +ExpectedResult = InternalError + + +# =========================================================== + +[2-version-negotiation] +ssl_conf = 2-version-negotiation-ssl + +[2-version-negotiation-ssl] +server = 2-version-negotiation-server +client = 2-version-negotiation-client + +[2-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[2-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-2] +ExpectedResult = InternalError + + +# =========================================================== + +[3-version-negotiation] +ssl_conf = 3-version-negotiation-ssl + +[3-version-negotiation-ssl] +server = 3-version-negotiation-server +client = 3-version-negotiation-client + +[3-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[3-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-3] +ExpectedResult = InternalError + + +# =========================================================== + +[4-version-negotiation] +ssl_conf = 4-version-negotiation-ssl + +[4-version-negotiation-ssl] +server = 4-version-negotiation-server +client = 4-version-negotiation-client + +[4-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[4-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-4] +ExpectedResult = InternalError + + +# =========================================================== + +[5-version-negotiation] +ssl_conf = 5-version-negotiation-ssl + +[5-version-negotiation-ssl] +server = 5-version-negotiation-server +client = 5-version-negotiation-client + +[5-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[5-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-5] +ExpectedResult = InternalError + + +# =========================================================== + +[6-version-negotiation] +ssl_conf = 6-version-negotiation-ssl + +[6-version-negotiation-ssl] +server = 6-version-negotiation-server +client = 6-version-negotiation-client + +[6-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[6-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-6] +ExpectedResult = InternalError + + +# =========================================================== + +[7-version-negotiation] +ssl_conf = 7-version-negotiation-ssl + +[7-version-negotiation-ssl] +server = 7-version-negotiation-server +client = 7-version-negotiation-client + +[7-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[7-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-7] +ExpectedResult = InternalError + + +# =========================================================== + +[8-version-negotiation] +ssl_conf = 8-version-negotiation-ssl + +[8-version-negotiation-ssl] +server = 8-version-negotiation-server +client = 8-version-negotiation-client + +[8-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[8-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-8] +ExpectedResult = InternalError + + +# =========================================================== + +[9-version-negotiation] +ssl_conf = 9-version-negotiation-ssl + +[9-version-negotiation-ssl] +server = 9-version-negotiation-server +client = 9-version-negotiation-client + +[9-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[9-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-9] +ExpectedResult = InternalError + + +# =========================================================== + +[10-version-negotiation] +ssl_conf = 10-version-negotiation-ssl + +[10-version-negotiation-ssl] +server = 10-version-negotiation-server +client = 10-version-negotiation-client + +[10-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[10-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-10] +ExpectedResult = InternalError + + +# =========================================================== + +[11-version-negotiation] +ssl_conf = 11-version-negotiation-ssl + +[11-version-negotiation-ssl] +server = 11-version-negotiation-server +client = 11-version-negotiation-client + +[11-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[11-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-11] +ExpectedResult = InternalError + + +# =========================================================== + +[12-version-negotiation] +ssl_conf = 12-version-negotiation-ssl + +[12-version-negotiation-ssl] +server = 12-version-negotiation-server +client = 12-version-negotiation-client + +[12-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[12-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-12] +ExpectedResult = InternalError + + +# =========================================================== + +[13-version-negotiation] +ssl_conf = 13-version-negotiation-ssl + +[13-version-negotiation-ssl] +server = 13-version-negotiation-server +client = 13-version-negotiation-client + +[13-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[13-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-13] +ExpectedResult = InternalError + + +# =========================================================== + +[14-version-negotiation] +ssl_conf = 14-version-negotiation-ssl + +[14-version-negotiation-ssl] +server = 14-version-negotiation-server +client = 14-version-negotiation-client + +[14-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[14-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-14] +ExpectedResult = InternalError + + +# =========================================================== + +[15-version-negotiation] +ssl_conf = 15-version-negotiation-ssl + +[15-version-negotiation-ssl] +server = 15-version-negotiation-server +client = 15-version-negotiation-client + +[15-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[15-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-15] +ExpectedResult = InternalError + + +# =========================================================== + +[16-version-negotiation] +ssl_conf = 16-version-negotiation-ssl + +[16-version-negotiation-ssl] +server = 16-version-negotiation-server +client = 16-version-negotiation-client + +[16-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[16-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-16] +ExpectedResult = InternalError + + +# =========================================================== + +[17-version-negotiation] +ssl_conf = 17-version-negotiation-ssl + +[17-version-negotiation-ssl] +server = 17-version-negotiation-server +client = 17-version-negotiation-client + +[17-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[17-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-17] +ExpectedResult = InternalError + + +# =========================================================== + +[18-version-negotiation] +ssl_conf = 18-version-negotiation-ssl + +[18-version-negotiation-ssl] +server = 18-version-negotiation-server +client = 18-version-negotiation-client + +[18-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[18-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-18] +ExpectedResult = InternalError + + +# =========================================================== + +[19-version-negotiation] +ssl_conf = 19-version-negotiation-ssl + +[19-version-negotiation-ssl] +server = 19-version-negotiation-server +client = 19-version-negotiation-client + +[19-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[19-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-19] +ExpectedResult = ServerFail + + +# =========================================================== + +[20-version-negotiation] +ssl_conf = 20-version-negotiation-ssl + +[20-version-negotiation-ssl] +server = 20-version-negotiation-server +client = 20-version-negotiation-client + +[20-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[20-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-20] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[21-version-negotiation] +ssl_conf = 21-version-negotiation-ssl + +[21-version-negotiation-ssl] +server = 21-version-negotiation-server +client = 21-version-negotiation-client + +[21-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[21-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-21] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[22-version-negotiation] +ssl_conf = 22-version-negotiation-ssl + +[22-version-negotiation-ssl] +server = 22-version-negotiation-server +client = 22-version-negotiation-client + +[22-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[22-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-22] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[23-version-negotiation] +ssl_conf = 23-version-negotiation-ssl + +[23-version-negotiation-ssl] +server = 23-version-negotiation-server +client = 23-version-negotiation-client + +[23-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[23-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-23] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[24-version-negotiation] +ssl_conf = 24-version-negotiation-ssl + +[24-version-negotiation-ssl] +server = 24-version-negotiation-server +client = 24-version-negotiation-client + +[24-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[24-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-24] +ExpectedResult = ServerFail + + +# =========================================================== + +[25-version-negotiation] +ssl_conf = 25-version-negotiation-ssl + +[25-version-negotiation-ssl] +server = 25-version-negotiation-server +client = 25-version-negotiation-client + +[25-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[25-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-25] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[26-version-negotiation] +ssl_conf = 26-version-negotiation-ssl + +[26-version-negotiation-ssl] +server = 26-version-negotiation-server +client = 26-version-negotiation-client + +[26-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[26-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-26] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[27-version-negotiation] +ssl_conf = 27-version-negotiation-ssl + +[27-version-negotiation-ssl] +server = 27-version-negotiation-server +client = 27-version-negotiation-client + +[27-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[27-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-27] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[28-version-negotiation] +ssl_conf = 28-version-negotiation-ssl + +[28-version-negotiation-ssl] +server = 28-version-negotiation-server +client = 28-version-negotiation-client + +[28-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[28-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-28] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[29-version-negotiation] +ssl_conf = 29-version-negotiation-ssl + +[29-version-negotiation-ssl] +server = 29-version-negotiation-server +client = 29-version-negotiation-client + +[29-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[29-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-29] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[30-version-negotiation] +ssl_conf = 30-version-negotiation-ssl + +[30-version-negotiation-ssl] +server = 30-version-negotiation-server +client = 30-version-negotiation-client + +[30-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[30-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-30] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[31-version-negotiation] +ssl_conf = 31-version-negotiation-ssl + +[31-version-negotiation-ssl] +server = 31-version-negotiation-server +client = 31-version-negotiation-client + +[31-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[31-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-31] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[32-version-negotiation] +ssl_conf = 32-version-negotiation-ssl + +[32-version-negotiation-ssl] +server = 32-version-negotiation-server +client = 32-version-negotiation-client + +[32-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[32-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-32] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[33-version-negotiation] +ssl_conf = 33-version-negotiation-ssl + +[33-version-negotiation-ssl] +server = 33-version-negotiation-server +client = 33-version-negotiation-client + +[33-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[33-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-33] +ExpectedResult = ServerFail + + +# =========================================================== + +[34-version-negotiation] +ssl_conf = 34-version-negotiation-ssl + +[34-version-negotiation-ssl] +server = 34-version-negotiation-server +client = 34-version-negotiation-client + +[34-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[34-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-34] +ExpectedResult = ServerFail + + +# =========================================================== + +[35-version-negotiation] +ssl_conf = 35-version-negotiation-ssl + +[35-version-negotiation-ssl] +server = 35-version-negotiation-server +client = 35-version-negotiation-client + +[35-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[35-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-35] +ExpectedResult = ServerFail + + +# =========================================================== + +[36-version-negotiation] +ssl_conf = 36-version-negotiation-ssl + +[36-version-negotiation-ssl] +server = 36-version-negotiation-server +client = 36-version-negotiation-client + +[36-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[36-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-36] +ExpectedResult = ServerFail + + +# =========================================================== + +[37-version-negotiation] +ssl_conf = 37-version-negotiation-ssl + +[37-version-negotiation-ssl] +server = 37-version-negotiation-server +client = 37-version-negotiation-client + +[37-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[37-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-37] +ExpectedResult = ServerFail + + +# =========================================================== + +[38-version-negotiation] +ssl_conf = 38-version-negotiation-ssl + +[38-version-negotiation-ssl] +server = 38-version-negotiation-server +client = 38-version-negotiation-client + +[38-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[38-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-38] +ExpectedResult = ServerFail + + +# =========================================================== + +[39-version-negotiation] +ssl_conf = 39-version-negotiation-ssl + +[39-version-negotiation-ssl] +server = 39-version-negotiation-server +client = 39-version-negotiation-client + +[39-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[39-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-39] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[40-version-negotiation] +ssl_conf = 40-version-negotiation-ssl + +[40-version-negotiation-ssl] +server = 40-version-negotiation-server +client = 40-version-negotiation-client + +[40-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[40-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-40] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[41-version-negotiation] +ssl_conf = 41-version-negotiation-ssl + +[41-version-negotiation-ssl] +server = 41-version-negotiation-server +client = 41-version-negotiation-client + +[41-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[41-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-41] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[42-version-negotiation] +ssl_conf = 42-version-negotiation-ssl + +[42-version-negotiation-ssl] +server = 42-version-negotiation-server +client = 42-version-negotiation-client + +[42-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[42-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-42] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[43-version-negotiation] +ssl_conf = 43-version-negotiation-ssl + +[43-version-negotiation-ssl] +server = 43-version-negotiation-server +client = 43-version-negotiation-client + +[43-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[43-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-43] +ExpectedResult = ServerFail + + +# =========================================================== + +[44-version-negotiation] +ssl_conf = 44-version-negotiation-ssl + +[44-version-negotiation-ssl] +server = 44-version-negotiation-server +client = 44-version-negotiation-client + +[44-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[44-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-44] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[45-version-negotiation] +ssl_conf = 45-version-negotiation-ssl + +[45-version-negotiation-ssl] +server = 45-version-negotiation-server +client = 45-version-negotiation-client + +[45-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[45-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-45] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[46-version-negotiation] +ssl_conf = 46-version-negotiation-ssl + +[46-version-negotiation-ssl] +server = 46-version-negotiation-server +client = 46-version-negotiation-client + +[46-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[46-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-46] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[47-version-negotiation] +ssl_conf = 47-version-negotiation-ssl + +[47-version-negotiation-ssl] +server = 47-version-negotiation-server +client = 47-version-negotiation-client + +[47-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[47-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-47] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[48-version-negotiation] +ssl_conf = 48-version-negotiation-ssl + +[48-version-negotiation-ssl] +server = 48-version-negotiation-server +client = 48-version-negotiation-client + +[48-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[48-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-48] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[49-version-negotiation] +ssl_conf = 49-version-negotiation-ssl + +[49-version-negotiation-ssl] +server = 49-version-negotiation-server +client = 49-version-negotiation-client + +[49-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[49-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-49] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[50-version-negotiation] +ssl_conf = 50-version-negotiation-ssl + +[50-version-negotiation-ssl] +server = 50-version-negotiation-server +client = 50-version-negotiation-client + +[50-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[50-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-50] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[51-version-negotiation] +ssl_conf = 51-version-negotiation-ssl + +[51-version-negotiation-ssl] +server = 51-version-negotiation-server +client = 51-version-negotiation-client + +[51-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[51-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-51] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[52-version-negotiation] +ssl_conf = 52-version-negotiation-ssl + +[52-version-negotiation-ssl] +server = 52-version-negotiation-server +client = 52-version-negotiation-client + +[52-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[52-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-52] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[53-version-negotiation] +ssl_conf = 53-version-negotiation-ssl + +[53-version-negotiation-ssl] +server = 53-version-negotiation-server +client = 53-version-negotiation-client + +[53-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[53-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-53] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[54-version-negotiation] +ssl_conf = 54-version-negotiation-ssl + +[54-version-negotiation-ssl] +server = 54-version-negotiation-server +client = 54-version-negotiation-client + +[54-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[54-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-54] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[55-version-negotiation] +ssl_conf = 55-version-negotiation-ssl + +[55-version-negotiation-ssl] +server = 55-version-negotiation-server +client = 55-version-negotiation-client + +[55-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[55-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-55] +ExpectedResult = ServerFail + + +# =========================================================== + +[56-version-negotiation] +ssl_conf = 56-version-negotiation-ssl + +[56-version-negotiation-ssl] +server = 56-version-negotiation-server +client = 56-version-negotiation-client + +[56-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[56-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-56] +ExpectedResult = ServerFail + + +# =========================================================== + +[57-version-negotiation] +ssl_conf = 57-version-negotiation-ssl + +[57-version-negotiation-ssl] +server = 57-version-negotiation-server +client = 57-version-negotiation-client + +[57-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[57-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-57] +ExpectedResult = ServerFail + + +# =========================================================== + +[58-version-negotiation] +ssl_conf = 58-version-negotiation-ssl + +[58-version-negotiation-ssl] +server = 58-version-negotiation-server +client = 58-version-negotiation-client + +[58-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[58-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-58] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[59-version-negotiation] +ssl_conf = 59-version-negotiation-ssl + +[59-version-negotiation-ssl] +server = 59-version-negotiation-server +client = 59-version-negotiation-client + +[59-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[59-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-59] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[60-version-negotiation] +ssl_conf = 60-version-negotiation-ssl + +[60-version-negotiation-ssl] +server = 60-version-negotiation-server +client = 60-version-negotiation-client + +[60-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[60-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-60] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[61-version-negotiation] +ssl_conf = 61-version-negotiation-ssl + +[61-version-negotiation-ssl] +server = 61-version-negotiation-server +client = 61-version-negotiation-client + +[61-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[61-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-61] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[62-version-negotiation] +ssl_conf = 62-version-negotiation-ssl + +[62-version-negotiation-ssl] +server = 62-version-negotiation-server +client = 62-version-negotiation-client + +[62-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[62-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-62] +ExpectedResult = ServerFail + + +# =========================================================== + +[63-version-negotiation] +ssl_conf = 63-version-negotiation-ssl + +[63-version-negotiation-ssl] +server = 63-version-negotiation-server +client = 63-version-negotiation-client + +[63-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[63-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-63] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[64-version-negotiation] +ssl_conf = 64-version-negotiation-ssl + +[64-version-negotiation-ssl] +server = 64-version-negotiation-server +client = 64-version-negotiation-client + +[64-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[64-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-64] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[65-version-negotiation] +ssl_conf = 65-version-negotiation-ssl + +[65-version-negotiation-ssl] +server = 65-version-negotiation-server +client = 65-version-negotiation-client + +[65-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[65-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-65] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[66-version-negotiation] +ssl_conf = 66-version-negotiation-ssl + +[66-version-negotiation-ssl] +server = 66-version-negotiation-server +client = 66-version-negotiation-client + +[66-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[66-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-66] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[67-version-negotiation] +ssl_conf = 67-version-negotiation-ssl + +[67-version-negotiation-ssl] +server = 67-version-negotiation-server +client = 67-version-negotiation-client + +[67-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[67-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-67] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[68-version-negotiation] +ssl_conf = 68-version-negotiation-ssl + +[68-version-negotiation-ssl] +server = 68-version-negotiation-server +client = 68-version-negotiation-client + +[68-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[68-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-68] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[69-version-negotiation] +ssl_conf = 69-version-negotiation-ssl + +[69-version-negotiation-ssl] +server = 69-version-negotiation-server +client = 69-version-negotiation-client + +[69-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[69-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-69] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[70-version-negotiation] +ssl_conf = 70-version-negotiation-ssl + +[70-version-negotiation-ssl] +server = 70-version-negotiation-server +client = 70-version-negotiation-client + +[70-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[70-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-70] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[71-version-negotiation] +ssl_conf = 71-version-negotiation-ssl + +[71-version-negotiation-ssl] +server = 71-version-negotiation-server +client = 71-version-negotiation-client + +[71-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[71-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-71] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[72-version-negotiation] +ssl_conf = 72-version-negotiation-ssl + +[72-version-negotiation-ssl] +server = 72-version-negotiation-server +client = 72-version-negotiation-client + +[72-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[72-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-72] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[73-version-negotiation] +ssl_conf = 73-version-negotiation-ssl + +[73-version-negotiation-ssl] +server = 73-version-negotiation-server +client = 73-version-negotiation-client + +[73-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[73-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-73] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[74-version-negotiation] +ssl_conf = 74-version-negotiation-ssl + +[74-version-negotiation-ssl] +server = 74-version-negotiation-server +client = 74-version-negotiation-client + +[74-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[74-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-74] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[75-version-negotiation] +ssl_conf = 75-version-negotiation-ssl + +[75-version-negotiation-ssl] +server = 75-version-negotiation-server +client = 75-version-negotiation-client + +[75-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[75-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-75] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[76-version-negotiation] +ssl_conf = 76-version-negotiation-ssl + +[76-version-negotiation-ssl] +server = 76-version-negotiation-server +client = 76-version-negotiation-client + +[76-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[76-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-76] +ExpectedResult = ServerFail + + +# =========================================================== + +[77-version-negotiation] +ssl_conf = 77-version-negotiation-ssl + +[77-version-negotiation-ssl] +server = 77-version-negotiation-server +client = 77-version-negotiation-client + +[77-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[77-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-77] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[78-version-negotiation] +ssl_conf = 78-version-negotiation-ssl + +[78-version-negotiation-ssl] +server = 78-version-negotiation-server +client = 78-version-negotiation-client + +[78-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[78-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-78] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[79-version-negotiation] +ssl_conf = 79-version-negotiation-ssl + +[79-version-negotiation-ssl] +server = 79-version-negotiation-server +client = 79-version-negotiation-client + +[79-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[79-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-79] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[80-version-negotiation] +ssl_conf = 80-version-negotiation-ssl + +[80-version-negotiation-ssl] +server = 80-version-negotiation-server +client = 80-version-negotiation-client + +[80-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[80-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-80] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[81-version-negotiation] +ssl_conf = 81-version-negotiation-ssl + +[81-version-negotiation-ssl] +server = 81-version-negotiation-server +client = 81-version-negotiation-client + +[81-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[81-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-81] +ExpectedResult = ServerFail + + +# =========================================================== + +[82-version-negotiation] +ssl_conf = 82-version-negotiation-ssl + +[82-version-negotiation-ssl] +server = 82-version-negotiation-server +client = 82-version-negotiation-client + +[82-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[82-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-82] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[83-version-negotiation] +ssl_conf = 83-version-negotiation-ssl + +[83-version-negotiation-ssl] +server = 83-version-negotiation-server +client = 83-version-negotiation-client + +[83-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[83-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-83] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[84-version-negotiation] +ssl_conf = 84-version-negotiation-ssl + +[84-version-negotiation-ssl] +server = 84-version-negotiation-server +client = 84-version-negotiation-client + +[84-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[84-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-84] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[85-version-negotiation] +ssl_conf = 85-version-negotiation-ssl + +[85-version-negotiation-ssl] +server = 85-version-negotiation-server +client = 85-version-negotiation-client + +[85-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[85-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-85] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[86-version-negotiation] +ssl_conf = 86-version-negotiation-ssl + +[86-version-negotiation-ssl] +server = 86-version-negotiation-server +client = 86-version-negotiation-client + +[86-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[86-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-86] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[87-version-negotiation] +ssl_conf = 87-version-negotiation-ssl + +[87-version-negotiation-ssl] +server = 87-version-negotiation-server +client = 87-version-negotiation-client + +[87-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[87-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-87] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[88-version-negotiation] +ssl_conf = 88-version-negotiation-ssl + +[88-version-negotiation-ssl] +server = 88-version-negotiation-server +client = 88-version-negotiation-client + +[88-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[88-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-88] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[89-version-negotiation] +ssl_conf = 89-version-negotiation-ssl + +[89-version-negotiation-ssl] +server = 89-version-negotiation-server +client = 89-version-negotiation-client + +[89-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[89-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-89] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[90-version-negotiation] +ssl_conf = 90-version-negotiation-ssl + +[90-version-negotiation-ssl] +server = 90-version-negotiation-server +client = 90-version-negotiation-client + +[90-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[90-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-90] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[91-version-negotiation] +ssl_conf = 91-version-negotiation-ssl + +[91-version-negotiation-ssl] +server = 91-version-negotiation-server +client = 91-version-negotiation-client + +[91-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[91-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-91] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[92-version-negotiation] +ssl_conf = 92-version-negotiation-ssl + +[92-version-negotiation-ssl] +server = 92-version-negotiation-server +client = 92-version-negotiation-client + +[92-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[92-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-92] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[93-version-negotiation] +ssl_conf = 93-version-negotiation-ssl + +[93-version-negotiation-ssl] +server = 93-version-negotiation-server +client = 93-version-negotiation-client + +[93-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[93-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-93] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[94-version-negotiation] +ssl_conf = 94-version-negotiation-ssl + +[94-version-negotiation-ssl] +server = 94-version-negotiation-server +client = 94-version-negotiation-client + +[94-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[94-version-negotiation-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-94] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[95-version-negotiation] +ssl_conf = 95-version-negotiation-ssl + +[95-version-negotiation-ssl] +server = 95-version-negotiation-server +client = 95-version-negotiation-client + +[95-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[95-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-95] +ExpectedResult = InternalError + + +# =========================================================== + +[96-version-negotiation] +ssl_conf = 96-version-negotiation-ssl + +[96-version-negotiation-ssl] +server = 96-version-negotiation-server +client = 96-version-negotiation-client + +[96-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[96-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-96] +ExpectedResult = InternalError + + +# =========================================================== + +[97-version-negotiation] +ssl_conf = 97-version-negotiation-ssl + +[97-version-negotiation-ssl] +server = 97-version-negotiation-server +client = 97-version-negotiation-client + +[97-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[97-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-97] +ExpectedResult = InternalError + + +# =========================================================== + +[98-version-negotiation] +ssl_conf = 98-version-negotiation-ssl + +[98-version-negotiation-ssl] +server = 98-version-negotiation-server +client = 98-version-negotiation-client + +[98-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[98-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-98] +ExpectedResult = InternalError + + +# =========================================================== + +[99-version-negotiation] +ssl_conf = 99-version-negotiation-ssl + +[99-version-negotiation-ssl] +server = 99-version-negotiation-server +client = 99-version-negotiation-client + +[99-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[99-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-99] +ExpectedResult = InternalError + + +# =========================================================== + +[100-version-negotiation] +ssl_conf = 100-version-negotiation-ssl + +[100-version-negotiation-ssl] +server = 100-version-negotiation-server +client = 100-version-negotiation-client + +[100-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[100-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-100] +ExpectedResult = InternalError + + +# =========================================================== + +[101-version-negotiation] +ssl_conf = 101-version-negotiation-ssl + +[101-version-negotiation-ssl] +server = 101-version-negotiation-server +client = 101-version-negotiation-client + +[101-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[101-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-101] +ExpectedResult = InternalError + + +# =========================================================== + +[102-version-negotiation] +ssl_conf = 102-version-negotiation-ssl + +[102-version-negotiation-ssl] +server = 102-version-negotiation-server +client = 102-version-negotiation-client + +[102-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[102-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-102] +ExpectedResult = InternalError + + +# =========================================================== + +[103-version-negotiation] +ssl_conf = 103-version-negotiation-ssl + +[103-version-negotiation-ssl] +server = 103-version-negotiation-server +client = 103-version-negotiation-client + +[103-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[103-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-103] +ExpectedResult = InternalError + + +# =========================================================== + +[104-version-negotiation] +ssl_conf = 104-version-negotiation-ssl + +[104-version-negotiation-ssl] +server = 104-version-negotiation-server +client = 104-version-negotiation-client + +[104-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[104-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-104] +ExpectedResult = InternalError + + +# =========================================================== + +[105-version-negotiation] +ssl_conf = 105-version-negotiation-ssl + +[105-version-negotiation-ssl] +server = 105-version-negotiation-server +client = 105-version-negotiation-client + +[105-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[105-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-105] +ExpectedResult = InternalError + + +# =========================================================== + +[106-version-negotiation] +ssl_conf = 106-version-negotiation-ssl + +[106-version-negotiation-ssl] +server = 106-version-negotiation-server +client = 106-version-negotiation-client + +[106-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[106-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-106] +ExpectedResult = InternalError + + +# =========================================================== + +[107-version-negotiation] +ssl_conf = 107-version-negotiation-ssl + +[107-version-negotiation-ssl] +server = 107-version-negotiation-server +client = 107-version-negotiation-client + +[107-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[107-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-107] +ExpectedResult = InternalError + + +# =========================================================== + +[108-version-negotiation] +ssl_conf = 108-version-negotiation-ssl + +[108-version-negotiation-ssl] +server = 108-version-negotiation-server +client = 108-version-negotiation-client + +[108-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[108-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-108] +ExpectedResult = InternalError + + +# =========================================================== + +[109-version-negotiation] +ssl_conf = 109-version-negotiation-ssl + +[109-version-negotiation-ssl] +server = 109-version-negotiation-server +client = 109-version-negotiation-client + +[109-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[109-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-109] +ExpectedResult = InternalError + + +# =========================================================== + +[110-version-negotiation] +ssl_conf = 110-version-negotiation-ssl + +[110-version-negotiation-ssl] +server = 110-version-negotiation-server +client = 110-version-negotiation-client + +[110-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[110-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-110] +ExpectedResult = InternalError + + +# =========================================================== + +[111-version-negotiation] +ssl_conf = 111-version-negotiation-ssl + +[111-version-negotiation-ssl] +server = 111-version-negotiation-server +client = 111-version-negotiation-client + +[111-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[111-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-111] +ExpectedResult = InternalError + + +# =========================================================== + +[112-version-negotiation] +ssl_conf = 112-version-negotiation-ssl + +[112-version-negotiation-ssl] +server = 112-version-negotiation-server +client = 112-version-negotiation-client + +[112-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[112-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-112] +ExpectedResult = InternalError + + +# =========================================================== + +[113-version-negotiation] +ssl_conf = 113-version-negotiation-ssl + +[113-version-negotiation-ssl] +server = 113-version-negotiation-server +client = 113-version-negotiation-client + +[113-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[113-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-113] +ExpectedResult = InternalError + + +# =========================================================== + +[114-version-negotiation] +ssl_conf = 114-version-negotiation-ssl + +[114-version-negotiation-ssl] +server = 114-version-negotiation-server +client = 114-version-negotiation-client + +[114-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[114-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-114] +ExpectedResult = ServerFail + + +# =========================================================== + +[115-version-negotiation] +ssl_conf = 115-version-negotiation-ssl + +[115-version-negotiation-ssl] +server = 115-version-negotiation-server +client = 115-version-negotiation-client + +[115-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[115-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-115] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[116-version-negotiation] +ssl_conf = 116-version-negotiation-ssl + +[116-version-negotiation-ssl] +server = 116-version-negotiation-server +client = 116-version-negotiation-client + +[116-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[116-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-116] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[117-version-negotiation] +ssl_conf = 117-version-negotiation-ssl + +[117-version-negotiation-ssl] +server = 117-version-negotiation-server +client = 117-version-negotiation-client + +[117-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[117-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-117] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[118-version-negotiation] +ssl_conf = 118-version-negotiation-ssl + +[118-version-negotiation-ssl] +server = 118-version-negotiation-server +client = 118-version-negotiation-client + +[118-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[118-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-118] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[119-version-negotiation] +ssl_conf = 119-version-negotiation-ssl + +[119-version-negotiation-ssl] +server = 119-version-negotiation-server +client = 119-version-negotiation-client + +[119-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[119-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-119] +ExpectedResult = ServerFail + + +# =========================================================== + +[120-version-negotiation] +ssl_conf = 120-version-negotiation-ssl + +[120-version-negotiation-ssl] +server = 120-version-negotiation-server +client = 120-version-negotiation-client + +[120-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[120-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-120] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[121-version-negotiation] +ssl_conf = 121-version-negotiation-ssl + +[121-version-negotiation-ssl] +server = 121-version-negotiation-server +client = 121-version-negotiation-client + +[121-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[121-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-121] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[122-version-negotiation] +ssl_conf = 122-version-negotiation-ssl + +[122-version-negotiation-ssl] +server = 122-version-negotiation-server +client = 122-version-negotiation-client + +[122-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[122-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-122] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[123-version-negotiation] +ssl_conf = 123-version-negotiation-ssl + +[123-version-negotiation-ssl] +server = 123-version-negotiation-server +client = 123-version-negotiation-client + +[123-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[123-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-123] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[124-version-negotiation] +ssl_conf = 124-version-negotiation-ssl + +[124-version-negotiation-ssl] +server = 124-version-negotiation-server +client = 124-version-negotiation-client + +[124-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[124-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-124] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[125-version-negotiation] +ssl_conf = 125-version-negotiation-ssl + +[125-version-negotiation-ssl] +server = 125-version-negotiation-server +client = 125-version-negotiation-client + +[125-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[125-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-125] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[126-version-negotiation] +ssl_conf = 126-version-negotiation-ssl + +[126-version-negotiation-ssl] +server = 126-version-negotiation-server +client = 126-version-negotiation-client + +[126-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[126-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-126] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[127-version-negotiation] +ssl_conf = 127-version-negotiation-ssl + +[127-version-negotiation-ssl] +server = 127-version-negotiation-server +client = 127-version-negotiation-client + +[127-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[127-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-127] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[128-version-negotiation] +ssl_conf = 128-version-negotiation-ssl + +[128-version-negotiation-ssl] +server = 128-version-negotiation-server +client = 128-version-negotiation-client + +[128-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[128-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-128] +ExpectedResult = ServerFail + + +# =========================================================== + +[129-version-negotiation] +ssl_conf = 129-version-negotiation-ssl + +[129-version-negotiation-ssl] +server = 129-version-negotiation-server +client = 129-version-negotiation-client + +[129-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[129-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-129] +ExpectedResult = ServerFail + + +# =========================================================== + +[130-version-negotiation] +ssl_conf = 130-version-negotiation-ssl + +[130-version-negotiation-ssl] +server = 130-version-negotiation-server +client = 130-version-negotiation-client + +[130-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[130-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-130] +ExpectedResult = ServerFail + + +# =========================================================== + +[131-version-negotiation] +ssl_conf = 131-version-negotiation-ssl + +[131-version-negotiation-ssl] +server = 131-version-negotiation-server +client = 131-version-negotiation-client + +[131-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[131-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-131] +ExpectedResult = ServerFail + + +# =========================================================== + +[132-version-negotiation] +ssl_conf = 132-version-negotiation-ssl + +[132-version-negotiation-ssl] +server = 132-version-negotiation-server +client = 132-version-negotiation-client + +[132-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[132-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-132] +ExpectedResult = ServerFail + + +# =========================================================== + +[133-version-negotiation] +ssl_conf = 133-version-negotiation-ssl + +[133-version-negotiation-ssl] +server = 133-version-negotiation-server +client = 133-version-negotiation-client + +[133-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[133-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-133] +ExpectedResult = ServerFail + + +# =========================================================== + +[134-version-negotiation] +ssl_conf = 134-version-negotiation-ssl + +[134-version-negotiation-ssl] +server = 134-version-negotiation-server +client = 134-version-negotiation-client + +[134-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[134-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-134] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[135-version-negotiation] +ssl_conf = 135-version-negotiation-ssl + +[135-version-negotiation-ssl] +server = 135-version-negotiation-server +client = 135-version-negotiation-client + +[135-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[135-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-135] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[136-version-negotiation] +ssl_conf = 136-version-negotiation-ssl + +[136-version-negotiation-ssl] +server = 136-version-negotiation-server +client = 136-version-negotiation-client + +[136-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[136-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-136] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[137-version-negotiation] +ssl_conf = 137-version-negotiation-ssl + +[137-version-negotiation-ssl] +server = 137-version-negotiation-server +client = 137-version-negotiation-client + +[137-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[137-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-137] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[138-version-negotiation] +ssl_conf = 138-version-negotiation-ssl + +[138-version-negotiation-ssl] +server = 138-version-negotiation-server +client = 138-version-negotiation-client + +[138-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[138-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-138] +ExpectedResult = ServerFail + + +# =========================================================== + +[139-version-negotiation] +ssl_conf = 139-version-negotiation-ssl + +[139-version-negotiation-ssl] +server = 139-version-negotiation-server +client = 139-version-negotiation-client + +[139-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[139-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-139] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[140-version-negotiation] +ssl_conf = 140-version-negotiation-ssl + +[140-version-negotiation-ssl] +server = 140-version-negotiation-server +client = 140-version-negotiation-client + +[140-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[140-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-140] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[141-version-negotiation] +ssl_conf = 141-version-negotiation-ssl + +[141-version-negotiation-ssl] +server = 141-version-negotiation-server +client = 141-version-negotiation-client + +[141-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[141-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-141] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[142-version-negotiation] +ssl_conf = 142-version-negotiation-ssl + +[142-version-negotiation-ssl] +server = 142-version-negotiation-server +client = 142-version-negotiation-client + +[142-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[142-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-142] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[143-version-negotiation] +ssl_conf = 143-version-negotiation-ssl + +[143-version-negotiation-ssl] +server = 143-version-negotiation-server +client = 143-version-negotiation-client + +[143-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[143-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-143] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[144-version-negotiation] +ssl_conf = 144-version-negotiation-ssl + +[144-version-negotiation-ssl] +server = 144-version-negotiation-server +client = 144-version-negotiation-client + +[144-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[144-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-144] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[145-version-negotiation] +ssl_conf = 145-version-negotiation-ssl + +[145-version-negotiation-ssl] +server = 145-version-negotiation-server +client = 145-version-negotiation-client + +[145-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[145-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-145] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[146-version-negotiation] +ssl_conf = 146-version-negotiation-ssl + +[146-version-negotiation-ssl] +server = 146-version-negotiation-server +client = 146-version-negotiation-client + +[146-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[146-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-146] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[147-version-negotiation] +ssl_conf = 147-version-negotiation-ssl + +[147-version-negotiation-ssl] +server = 147-version-negotiation-server +client = 147-version-negotiation-client + +[147-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[147-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-147] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[148-version-negotiation] +ssl_conf = 148-version-negotiation-ssl + +[148-version-negotiation-ssl] +server = 148-version-negotiation-server +client = 148-version-negotiation-client + +[148-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[148-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-148] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[149-version-negotiation] +ssl_conf = 149-version-negotiation-ssl + +[149-version-negotiation-ssl] +server = 149-version-negotiation-server +client = 149-version-negotiation-client + +[149-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[149-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-149] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[150-version-negotiation] +ssl_conf = 150-version-negotiation-ssl + +[150-version-negotiation-ssl] +server = 150-version-negotiation-server +client = 150-version-negotiation-client + +[150-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[150-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-150] +ExpectedResult = ServerFail + + +# =========================================================== + +[151-version-negotiation] +ssl_conf = 151-version-negotiation-ssl + +[151-version-negotiation-ssl] +server = 151-version-negotiation-server +client = 151-version-negotiation-client + +[151-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[151-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-151] +ExpectedResult = ServerFail + + +# =========================================================== + +[152-version-negotiation] +ssl_conf = 152-version-negotiation-ssl + +[152-version-negotiation-ssl] +server = 152-version-negotiation-server +client = 152-version-negotiation-client + +[152-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[152-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-152] +ExpectedResult = ServerFail + + +# =========================================================== + +[153-version-negotiation] +ssl_conf = 153-version-negotiation-ssl + +[153-version-negotiation-ssl] +server = 153-version-negotiation-server +client = 153-version-negotiation-client + +[153-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[153-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-153] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[154-version-negotiation] +ssl_conf = 154-version-negotiation-ssl + +[154-version-negotiation-ssl] +server = 154-version-negotiation-server +client = 154-version-negotiation-client + +[154-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[154-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-154] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[155-version-negotiation] +ssl_conf = 155-version-negotiation-ssl + +[155-version-negotiation-ssl] +server = 155-version-negotiation-server +client = 155-version-negotiation-client + +[155-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[155-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-155] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[156-version-negotiation] +ssl_conf = 156-version-negotiation-ssl + +[156-version-negotiation-ssl] +server = 156-version-negotiation-server +client = 156-version-negotiation-client + +[156-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[156-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-156] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[157-version-negotiation] +ssl_conf = 157-version-negotiation-ssl + +[157-version-negotiation-ssl] +server = 157-version-negotiation-server +client = 157-version-negotiation-client + +[157-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[157-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-157] +ExpectedResult = ServerFail + + +# =========================================================== + +[158-version-negotiation] +ssl_conf = 158-version-negotiation-ssl + +[158-version-negotiation-ssl] +server = 158-version-negotiation-server +client = 158-version-negotiation-client + +[158-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[158-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-158] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[159-version-negotiation] +ssl_conf = 159-version-negotiation-ssl + +[159-version-negotiation-ssl] +server = 159-version-negotiation-server +client = 159-version-negotiation-client + +[159-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[159-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-159] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[160-version-negotiation] +ssl_conf = 160-version-negotiation-ssl + +[160-version-negotiation-ssl] +server = 160-version-negotiation-server +client = 160-version-negotiation-client + +[160-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[160-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-160] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[161-version-negotiation] +ssl_conf = 161-version-negotiation-ssl + +[161-version-negotiation-ssl] +server = 161-version-negotiation-server +client = 161-version-negotiation-client + +[161-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[161-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-161] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[162-version-negotiation] +ssl_conf = 162-version-negotiation-ssl + +[162-version-negotiation-ssl] +server = 162-version-negotiation-server +client = 162-version-negotiation-client + +[162-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[162-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-162] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[163-version-negotiation] +ssl_conf = 163-version-negotiation-ssl + +[163-version-negotiation-ssl] +server = 163-version-negotiation-server +client = 163-version-negotiation-client + +[163-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[163-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-163] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[164-version-negotiation] +ssl_conf = 164-version-negotiation-ssl + +[164-version-negotiation-ssl] +server = 164-version-negotiation-server +client = 164-version-negotiation-client + +[164-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[164-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-164] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[165-version-negotiation] +ssl_conf = 165-version-negotiation-ssl + +[165-version-negotiation-ssl] +server = 165-version-negotiation-server +client = 165-version-negotiation-client + +[165-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[165-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-165] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[166-version-negotiation] +ssl_conf = 166-version-negotiation-ssl + +[166-version-negotiation-ssl] +server = 166-version-negotiation-server +client = 166-version-negotiation-client + +[166-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[166-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-166] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[167-version-negotiation] +ssl_conf = 167-version-negotiation-ssl + +[167-version-negotiation-ssl] +server = 167-version-negotiation-server +client = 167-version-negotiation-client + +[167-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[167-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-167] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[168-version-negotiation] +ssl_conf = 168-version-negotiation-ssl + +[168-version-negotiation-ssl] +server = 168-version-negotiation-server +client = 168-version-negotiation-client + +[168-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[168-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-168] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[169-version-negotiation] +ssl_conf = 169-version-negotiation-ssl + +[169-version-negotiation-ssl] +server = 169-version-negotiation-server +client = 169-version-negotiation-client + +[169-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[169-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-169] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[170-version-negotiation] +ssl_conf = 170-version-negotiation-ssl + +[170-version-negotiation-ssl] +server = 170-version-negotiation-server +client = 170-version-negotiation-client + +[170-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[170-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-170] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[171-version-negotiation] +ssl_conf = 171-version-negotiation-ssl + +[171-version-negotiation-ssl] +server = 171-version-negotiation-server +client = 171-version-negotiation-client + +[171-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[171-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-171] +ExpectedResult = ServerFail + + +# =========================================================== + +[172-version-negotiation] +ssl_conf = 172-version-negotiation-ssl + +[172-version-negotiation-ssl] +server = 172-version-negotiation-server +client = 172-version-negotiation-client + +[172-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[172-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-172] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[173-version-negotiation] +ssl_conf = 173-version-negotiation-ssl + +[173-version-negotiation-ssl] +server = 173-version-negotiation-server +client = 173-version-negotiation-client + +[173-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[173-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-173] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[174-version-negotiation] +ssl_conf = 174-version-negotiation-ssl + +[174-version-negotiation-ssl] +server = 174-version-negotiation-server +client = 174-version-negotiation-client + +[174-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[174-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-174] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[175-version-negotiation] +ssl_conf = 175-version-negotiation-ssl + +[175-version-negotiation-ssl] +server = 175-version-negotiation-server +client = 175-version-negotiation-client + +[175-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[175-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-175] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[176-version-negotiation] +ssl_conf = 176-version-negotiation-ssl + +[176-version-negotiation-ssl] +server = 176-version-negotiation-server +client = 176-version-negotiation-client + +[176-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[176-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-176] +ExpectedResult = ServerFail + + +# =========================================================== + +[177-version-negotiation] +ssl_conf = 177-version-negotiation-ssl + +[177-version-negotiation-ssl] +server = 177-version-negotiation-server +client = 177-version-negotiation-client + +[177-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[177-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-177] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[178-version-negotiation] +ssl_conf = 178-version-negotiation-ssl + +[178-version-negotiation-ssl] +server = 178-version-negotiation-server +client = 178-version-negotiation-client + +[178-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[178-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-178] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[179-version-negotiation] +ssl_conf = 179-version-negotiation-ssl + +[179-version-negotiation-ssl] +server = 179-version-negotiation-server +client = 179-version-negotiation-client + +[179-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[179-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-179] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[180-version-negotiation] +ssl_conf = 180-version-negotiation-ssl + +[180-version-negotiation-ssl] +server = 180-version-negotiation-server +client = 180-version-negotiation-client + +[180-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[180-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-180] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[181-version-negotiation] +ssl_conf = 181-version-negotiation-ssl + +[181-version-negotiation-ssl] +server = 181-version-negotiation-server +client = 181-version-negotiation-client + +[181-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[181-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-181] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[182-version-negotiation] +ssl_conf = 182-version-negotiation-ssl + +[182-version-negotiation-ssl] +server = 182-version-negotiation-server +client = 182-version-negotiation-client + +[182-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[182-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-182] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[183-version-negotiation] +ssl_conf = 183-version-negotiation-ssl + +[183-version-negotiation-ssl] +server = 183-version-negotiation-server +client = 183-version-negotiation-client + +[183-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[183-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-183] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[184-version-negotiation] +ssl_conf = 184-version-negotiation-ssl + +[184-version-negotiation-ssl] +server = 184-version-negotiation-server +client = 184-version-negotiation-client + +[184-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[184-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-184] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[185-version-negotiation] +ssl_conf = 185-version-negotiation-ssl + +[185-version-negotiation-ssl] +server = 185-version-negotiation-server +client = 185-version-negotiation-client + +[185-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[185-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-185] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[186-version-negotiation] +ssl_conf = 186-version-negotiation-ssl + +[186-version-negotiation-ssl] +server = 186-version-negotiation-server +client = 186-version-negotiation-client + +[186-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[186-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-186] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[187-version-negotiation] +ssl_conf = 187-version-negotiation-ssl + +[187-version-negotiation-ssl] +server = 187-version-negotiation-server +client = 187-version-negotiation-client + +[187-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[187-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-187] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[188-version-negotiation] +ssl_conf = 188-version-negotiation-ssl + +[188-version-negotiation-ssl] +server = 188-version-negotiation-server +client = 188-version-negotiation-client + +[188-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[188-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-188] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[189-version-negotiation] +ssl_conf = 189-version-negotiation-ssl + +[189-version-negotiation-ssl] +server = 189-version-negotiation-server +client = 189-version-negotiation-client + +[189-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[189-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = SSLv3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-189] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[190-version-negotiation] +ssl_conf = 190-version-negotiation-ssl + +[190-version-negotiation-ssl] +server = 190-version-negotiation-server +client = 190-version-negotiation-client + +[190-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[190-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-190] +ExpectedResult = ServerFail + + +# =========================================================== + +[191-version-negotiation] +ssl_conf = 191-version-negotiation-ssl + +[191-version-negotiation-ssl] +server = 191-version-negotiation-server +client = 191-version-negotiation-client + +[191-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[191-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-191] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[192-version-negotiation] +ssl_conf = 192-version-negotiation-ssl + +[192-version-negotiation-ssl] +server = 192-version-negotiation-server +client = 192-version-negotiation-client + +[192-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[192-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-192] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[193-version-negotiation] +ssl_conf = 193-version-negotiation-ssl + +[193-version-negotiation-ssl] +server = 193-version-negotiation-server +client = 193-version-negotiation-client + +[193-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[193-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-193] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[194-version-negotiation] +ssl_conf = 194-version-negotiation-ssl + +[194-version-negotiation-ssl] +server = 194-version-negotiation-server +client = 194-version-negotiation-client + +[194-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[194-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-194] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[195-version-negotiation] +ssl_conf = 195-version-negotiation-ssl + +[195-version-negotiation-ssl] +server = 195-version-negotiation-server +client = 195-version-negotiation-client + +[195-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[195-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-195] +ExpectedResult = ServerFail + + +# =========================================================== + +[196-version-negotiation] +ssl_conf = 196-version-negotiation-ssl + +[196-version-negotiation-ssl] +server = 196-version-negotiation-server +client = 196-version-negotiation-client + +[196-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[196-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-196] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[197-version-negotiation] +ssl_conf = 197-version-negotiation-ssl + +[197-version-negotiation-ssl] +server = 197-version-negotiation-server +client = 197-version-negotiation-client + +[197-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[197-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-197] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[198-version-negotiation] +ssl_conf = 198-version-negotiation-ssl + +[198-version-negotiation-ssl] +server = 198-version-negotiation-server +client = 198-version-negotiation-client + +[198-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[198-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-198] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[199-version-negotiation] +ssl_conf = 199-version-negotiation-ssl + +[199-version-negotiation-ssl] +server = 199-version-negotiation-server +client = 199-version-negotiation-client + +[199-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[199-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-199] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[200-version-negotiation] +ssl_conf = 200-version-negotiation-ssl + +[200-version-negotiation-ssl] +server = 200-version-negotiation-server +client = 200-version-negotiation-client + +[200-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[200-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-200] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[201-version-negotiation] +ssl_conf = 201-version-negotiation-ssl + +[201-version-negotiation-ssl] +server = 201-version-negotiation-server +client = 201-version-negotiation-client + +[201-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[201-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-201] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[202-version-negotiation] +ssl_conf = 202-version-negotiation-ssl + +[202-version-negotiation-ssl] +server = 202-version-negotiation-server +client = 202-version-negotiation-client + +[202-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[202-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-202] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[203-version-negotiation] +ssl_conf = 203-version-negotiation-ssl + +[203-version-negotiation-ssl] +server = 203-version-negotiation-server +client = 203-version-negotiation-client + +[203-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[203-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-203] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[204-version-negotiation] +ssl_conf = 204-version-negotiation-ssl + +[204-version-negotiation-ssl] +server = 204-version-negotiation-server +client = 204-version-negotiation-client + +[204-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[204-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-204] +ExpectedResult = ServerFail + + +# =========================================================== + +[205-version-negotiation] +ssl_conf = 205-version-negotiation-ssl + +[205-version-negotiation-ssl] +server = 205-version-negotiation-server +client = 205-version-negotiation-client + +[205-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[205-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-205] +ExpectedResult = ServerFail + + +# =========================================================== + +[206-version-negotiation] +ssl_conf = 206-version-negotiation-ssl + +[206-version-negotiation-ssl] +server = 206-version-negotiation-server +client = 206-version-negotiation-client + +[206-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[206-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-206] +ExpectedResult = ServerFail + + +# =========================================================== + +[207-version-negotiation] +ssl_conf = 207-version-negotiation-ssl + +[207-version-negotiation-ssl] +server = 207-version-negotiation-server +client = 207-version-negotiation-client + +[207-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[207-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-207] +ExpectedResult = ServerFail + + +# =========================================================== + +[208-version-negotiation] +ssl_conf = 208-version-negotiation-ssl + +[208-version-negotiation-ssl] +server = 208-version-negotiation-server +client = 208-version-negotiation-client + +[208-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[208-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-208] +ExpectedResult = ServerFail + + +# =========================================================== + +[209-version-negotiation] +ssl_conf = 209-version-negotiation-ssl + +[209-version-negotiation-ssl] +server = 209-version-negotiation-server +client = 209-version-negotiation-client + +[209-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[209-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-209] +ExpectedResult = ServerFail + + +# =========================================================== + +[210-version-negotiation] +ssl_conf = 210-version-negotiation-ssl + +[210-version-negotiation-ssl] +server = 210-version-negotiation-server +client = 210-version-negotiation-client + +[210-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[210-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-210] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[211-version-negotiation] +ssl_conf = 211-version-negotiation-ssl + +[211-version-negotiation-ssl] +server = 211-version-negotiation-server +client = 211-version-negotiation-client + +[211-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[211-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-211] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[212-version-negotiation] +ssl_conf = 212-version-negotiation-ssl + +[212-version-negotiation-ssl] +server = 212-version-negotiation-server +client = 212-version-negotiation-client + +[212-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[212-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-212] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[213-version-negotiation] +ssl_conf = 213-version-negotiation-ssl + +[213-version-negotiation-ssl] +server = 213-version-negotiation-server +client = 213-version-negotiation-client + +[213-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[213-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-213] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[214-version-negotiation] +ssl_conf = 214-version-negotiation-ssl + +[214-version-negotiation-ssl] +server = 214-version-negotiation-server +client = 214-version-negotiation-client + +[214-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[214-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-214] +ExpectedResult = ServerFail + + +# =========================================================== + +[215-version-negotiation] +ssl_conf = 215-version-negotiation-ssl + +[215-version-negotiation-ssl] +server = 215-version-negotiation-server +client = 215-version-negotiation-client + +[215-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[215-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-215] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[216-version-negotiation] +ssl_conf = 216-version-negotiation-ssl + +[216-version-negotiation-ssl] +server = 216-version-negotiation-server +client = 216-version-negotiation-client + +[216-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[216-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-216] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[217-version-negotiation] +ssl_conf = 217-version-negotiation-ssl + +[217-version-negotiation-ssl] +server = 217-version-negotiation-server +client = 217-version-negotiation-client + +[217-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[217-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-217] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[218-version-negotiation] +ssl_conf = 218-version-negotiation-ssl + +[218-version-negotiation-ssl] +server = 218-version-negotiation-server +client = 218-version-negotiation-client + +[218-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[218-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-218] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[219-version-negotiation] +ssl_conf = 219-version-negotiation-ssl + +[219-version-negotiation-ssl] +server = 219-version-negotiation-server +client = 219-version-negotiation-client + +[219-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[219-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-219] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[220-version-negotiation] +ssl_conf = 220-version-negotiation-ssl + +[220-version-negotiation-ssl] +server = 220-version-negotiation-server +client = 220-version-negotiation-client + +[220-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[220-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-220] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[221-version-negotiation] +ssl_conf = 221-version-negotiation-ssl + +[221-version-negotiation-ssl] +server = 221-version-negotiation-server +client = 221-version-negotiation-client + +[221-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[221-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-221] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[222-version-negotiation] +ssl_conf = 222-version-negotiation-ssl + +[222-version-negotiation-ssl] +server = 222-version-negotiation-server +client = 222-version-negotiation-client + +[222-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[222-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-222] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[223-version-negotiation] +ssl_conf = 223-version-negotiation-ssl + +[223-version-negotiation-ssl] +server = 223-version-negotiation-server +client = 223-version-negotiation-client + +[223-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[223-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-223] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[224-version-negotiation] +ssl_conf = 224-version-negotiation-ssl + +[224-version-negotiation-ssl] +server = 224-version-negotiation-server +client = 224-version-negotiation-client + +[224-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[224-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-224] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[225-version-negotiation] +ssl_conf = 225-version-negotiation-ssl + +[225-version-negotiation-ssl] +server = 225-version-negotiation-server +client = 225-version-negotiation-client + +[225-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[225-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-225] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[226-version-negotiation] +ssl_conf = 226-version-negotiation-ssl + +[226-version-negotiation-ssl] +server = 226-version-negotiation-server +client = 226-version-negotiation-client + +[226-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[226-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-226] +ExpectedResult = ServerFail + + +# =========================================================== + +[227-version-negotiation] +ssl_conf = 227-version-negotiation-ssl + +[227-version-negotiation-ssl] +server = 227-version-negotiation-server +client = 227-version-negotiation-client + +[227-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[227-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-227] +ExpectedResult = ServerFail + + +# =========================================================== + +[228-version-negotiation] +ssl_conf = 228-version-negotiation-ssl + +[228-version-negotiation-ssl] +server = 228-version-negotiation-server +client = 228-version-negotiation-client + +[228-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[228-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-228] +ExpectedResult = ServerFail + + +# =========================================================== + +[229-version-negotiation] +ssl_conf = 229-version-negotiation-ssl + +[229-version-negotiation-ssl] +server = 229-version-negotiation-server +client = 229-version-negotiation-client + +[229-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[229-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-229] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[230-version-negotiation] +ssl_conf = 230-version-negotiation-ssl + +[230-version-negotiation-ssl] +server = 230-version-negotiation-server +client = 230-version-negotiation-client + +[230-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[230-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-230] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[231-version-negotiation] +ssl_conf = 231-version-negotiation-ssl + +[231-version-negotiation-ssl] +server = 231-version-negotiation-server +client = 231-version-negotiation-client + +[231-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[231-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-231] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[232-version-negotiation] +ssl_conf = 232-version-negotiation-ssl + +[232-version-negotiation-ssl] +server = 232-version-negotiation-server +client = 232-version-negotiation-client + +[232-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[232-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-232] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[233-version-negotiation] +ssl_conf = 233-version-negotiation-ssl + +[233-version-negotiation-ssl] +server = 233-version-negotiation-server +client = 233-version-negotiation-client + +[233-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[233-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-233] +ExpectedResult = ServerFail + + +# =========================================================== + +[234-version-negotiation] +ssl_conf = 234-version-negotiation-ssl + +[234-version-negotiation-ssl] +server = 234-version-negotiation-server +client = 234-version-negotiation-client + +[234-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[234-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-234] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[235-version-negotiation] +ssl_conf = 235-version-negotiation-ssl + +[235-version-negotiation-ssl] +server = 235-version-negotiation-server +client = 235-version-negotiation-client + +[235-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[235-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-235] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[236-version-negotiation] +ssl_conf = 236-version-negotiation-ssl + +[236-version-negotiation-ssl] +server = 236-version-negotiation-server +client = 236-version-negotiation-client + +[236-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[236-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-236] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[237-version-negotiation] +ssl_conf = 237-version-negotiation-ssl + +[237-version-negotiation-ssl] +server = 237-version-negotiation-server +client = 237-version-negotiation-client + +[237-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[237-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-237] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[238-version-negotiation] +ssl_conf = 238-version-negotiation-ssl + +[238-version-negotiation-ssl] +server = 238-version-negotiation-server +client = 238-version-negotiation-client + +[238-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[238-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-238] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[239-version-negotiation] +ssl_conf = 239-version-negotiation-ssl + +[239-version-negotiation-ssl] +server = 239-version-negotiation-server +client = 239-version-negotiation-client + +[239-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[239-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-239] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[240-version-negotiation] +ssl_conf = 240-version-negotiation-ssl + +[240-version-negotiation-ssl] +server = 240-version-negotiation-server +client = 240-version-negotiation-client + +[240-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[240-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-240] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[241-version-negotiation] +ssl_conf = 241-version-negotiation-ssl + +[241-version-negotiation-ssl] +server = 241-version-negotiation-server +client = 241-version-negotiation-client + +[241-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[241-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-241] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[242-version-negotiation] +ssl_conf = 242-version-negotiation-ssl + +[242-version-negotiation-ssl] +server = 242-version-negotiation-server +client = 242-version-negotiation-client + +[242-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[242-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-242] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[243-version-negotiation] +ssl_conf = 243-version-negotiation-ssl + +[243-version-negotiation-ssl] +server = 243-version-negotiation-server +client = 243-version-negotiation-client + +[243-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[243-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-243] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[244-version-negotiation] +ssl_conf = 244-version-negotiation-ssl + +[244-version-negotiation-ssl] +server = 244-version-negotiation-server +client = 244-version-negotiation-client + +[244-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[244-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-244] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[245-version-negotiation] +ssl_conf = 245-version-negotiation-ssl + +[245-version-negotiation-ssl] +server = 245-version-negotiation-server +client = 245-version-negotiation-client + +[245-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[245-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-245] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[246-version-negotiation] +ssl_conf = 246-version-negotiation-ssl + +[246-version-negotiation-ssl] +server = 246-version-negotiation-server +client = 246-version-negotiation-client + +[246-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[246-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-246] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[247-version-negotiation] +ssl_conf = 247-version-negotiation-ssl + +[247-version-negotiation-ssl] +server = 247-version-negotiation-server +client = 247-version-negotiation-client + +[247-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[247-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-247] +ExpectedResult = ServerFail + + +# =========================================================== + +[248-version-negotiation] +ssl_conf = 248-version-negotiation-ssl + +[248-version-negotiation-ssl] +server = 248-version-negotiation-server +client = 248-version-negotiation-client + +[248-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[248-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-248] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[249-version-negotiation] +ssl_conf = 249-version-negotiation-ssl + +[249-version-negotiation-ssl] +server = 249-version-negotiation-server +client = 249-version-negotiation-client + +[249-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[249-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-249] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[250-version-negotiation] +ssl_conf = 250-version-negotiation-ssl + +[250-version-negotiation-ssl] +server = 250-version-negotiation-server +client = 250-version-negotiation-client + +[250-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[250-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-250] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[251-version-negotiation] +ssl_conf = 251-version-negotiation-ssl + +[251-version-negotiation-ssl] +server = 251-version-negotiation-server +client = 251-version-negotiation-client + +[251-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[251-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-251] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[252-version-negotiation] +ssl_conf = 252-version-negotiation-ssl + +[252-version-negotiation-ssl] +server = 252-version-negotiation-server +client = 252-version-negotiation-client + +[252-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[252-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-252] +ExpectedResult = ServerFail + + +# =========================================================== + +[253-version-negotiation] +ssl_conf = 253-version-negotiation-ssl + +[253-version-negotiation-ssl] +server = 253-version-negotiation-server +client = 253-version-negotiation-client + +[253-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[253-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-253] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[254-version-negotiation] +ssl_conf = 254-version-negotiation-ssl + +[254-version-negotiation-ssl] +server = 254-version-negotiation-server +client = 254-version-negotiation-client + +[254-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[254-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-254] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[255-version-negotiation] +ssl_conf = 255-version-negotiation-ssl + +[255-version-negotiation-ssl] +server = 255-version-negotiation-server +client = 255-version-negotiation-client + +[255-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[255-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-255] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[256-version-negotiation] +ssl_conf = 256-version-negotiation-ssl + +[256-version-negotiation-ssl] +server = 256-version-negotiation-server +client = 256-version-negotiation-client + +[256-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[256-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-256] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[257-version-negotiation] +ssl_conf = 257-version-negotiation-ssl + +[257-version-negotiation-ssl] +server = 257-version-negotiation-server +client = 257-version-negotiation-client + +[257-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[257-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-257] +ExpectedResult = Success +Protocol = TLSv1 + + +# =========================================================== + +[258-version-negotiation] +ssl_conf = 258-version-negotiation-ssl + +[258-version-negotiation-ssl] +server = 258-version-negotiation-server +client = 258-version-negotiation-client + +[258-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[258-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-258] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[259-version-negotiation] +ssl_conf = 259-version-negotiation-ssl + +[259-version-negotiation-ssl] +server = 259-version-negotiation-server +client = 259-version-negotiation-client + +[259-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[259-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-259] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[260-version-negotiation] +ssl_conf = 260-version-negotiation-ssl + +[260-version-negotiation-ssl] +server = 260-version-negotiation-server +client = 260-version-negotiation-client + +[260-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[260-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-260] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[261-version-negotiation] +ssl_conf = 261-version-negotiation-ssl + +[261-version-negotiation-ssl] +server = 261-version-negotiation-server +client = 261-version-negotiation-client + +[261-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[261-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-261] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[262-version-negotiation] +ssl_conf = 262-version-negotiation-ssl + +[262-version-negotiation-ssl] +server = 262-version-negotiation-server +client = 262-version-negotiation-client + +[262-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[262-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-262] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[263-version-negotiation] +ssl_conf = 263-version-negotiation-ssl + +[263-version-negotiation-ssl] +server = 263-version-negotiation-server +client = 263-version-negotiation-client + +[263-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[263-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-263] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[264-version-negotiation] +ssl_conf = 264-version-negotiation-ssl + +[264-version-negotiation-ssl] +server = 264-version-negotiation-server +client = 264-version-negotiation-client + +[264-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[264-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-264] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[265-version-negotiation] +ssl_conf = 265-version-negotiation-ssl + +[265-version-negotiation-ssl] +server = 265-version-negotiation-server +client = 265-version-negotiation-client + +[265-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[265-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-265] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[266-version-negotiation] +ssl_conf = 266-version-negotiation-ssl + +[266-version-negotiation-ssl] +server = 266-version-negotiation-server +client = 266-version-negotiation-client + +[266-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[266-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-266] +ExpectedResult = ServerFail + + +# =========================================================== + +[267-version-negotiation] +ssl_conf = 267-version-negotiation-ssl + +[267-version-negotiation-ssl] +server = 267-version-negotiation-server +client = 267-version-negotiation-client + +[267-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[267-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-267] +ExpectedResult = ClientFail + + +# =========================================================== + +[268-version-negotiation] +ssl_conf = 268-version-negotiation-ssl + +[268-version-negotiation-ssl] +server = 268-version-negotiation-server +client = 268-version-negotiation-client + +[268-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[268-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-268] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[269-version-negotiation] +ssl_conf = 269-version-negotiation-ssl + +[269-version-negotiation-ssl] +server = 269-version-negotiation-server +client = 269-version-negotiation-client + +[269-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[269-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-269] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[270-version-negotiation] +ssl_conf = 270-version-negotiation-ssl + +[270-version-negotiation-ssl] +server = 270-version-negotiation-server +client = 270-version-negotiation-client + +[270-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[270-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-270] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[271-version-negotiation] +ssl_conf = 271-version-negotiation-ssl + +[271-version-negotiation-ssl] +server = 271-version-negotiation-server +client = 271-version-negotiation-client + +[271-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[271-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-271] +ExpectedResult = ServerFail + + +# =========================================================== + +[272-version-negotiation] +ssl_conf = 272-version-negotiation-ssl + +[272-version-negotiation-ssl] +server = 272-version-negotiation-server +client = 272-version-negotiation-client + +[272-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[272-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-272] +ExpectedResult = ClientFail + + +# =========================================================== + +[273-version-negotiation] +ssl_conf = 273-version-negotiation-ssl + +[273-version-negotiation-ssl] +server = 273-version-negotiation-server +client = 273-version-negotiation-client + +[273-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[273-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-273] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[274-version-negotiation] +ssl_conf = 274-version-negotiation-ssl + +[274-version-negotiation-ssl] +server = 274-version-negotiation-server +client = 274-version-negotiation-client + +[274-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[274-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-274] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[275-version-negotiation] +ssl_conf = 275-version-negotiation-ssl + +[275-version-negotiation-ssl] +server = 275-version-negotiation-server +client = 275-version-negotiation-client + +[275-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[275-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-275] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[276-version-negotiation] +ssl_conf = 276-version-negotiation-ssl + +[276-version-negotiation-ssl] +server = 276-version-negotiation-server +client = 276-version-negotiation-client + +[276-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[276-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-276] +ExpectedResult = ClientFail + + +# =========================================================== + +[277-version-negotiation] +ssl_conf = 277-version-negotiation-ssl + +[277-version-negotiation-ssl] +server = 277-version-negotiation-server +client = 277-version-negotiation-client + +[277-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[277-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-277] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[278-version-negotiation] +ssl_conf = 278-version-negotiation-ssl + +[278-version-negotiation-ssl] +server = 278-version-negotiation-server +client = 278-version-negotiation-client + +[278-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[278-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-278] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[279-version-negotiation] +ssl_conf = 279-version-negotiation-ssl + +[279-version-negotiation-ssl] +server = 279-version-negotiation-server +client = 279-version-negotiation-client + +[279-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[279-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-279] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[280-version-negotiation] +ssl_conf = 280-version-negotiation-ssl + +[280-version-negotiation-ssl] +server = 280-version-negotiation-server +client = 280-version-negotiation-client + +[280-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[280-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-280] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[281-version-negotiation] +ssl_conf = 281-version-negotiation-ssl + +[281-version-negotiation-ssl] +server = 281-version-negotiation-server +client = 281-version-negotiation-client + +[281-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[281-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-281] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[282-version-negotiation] +ssl_conf = 282-version-negotiation-ssl + +[282-version-negotiation-ssl] +server = 282-version-negotiation-server +client = 282-version-negotiation-client + +[282-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[282-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-282] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[283-version-negotiation] +ssl_conf = 283-version-negotiation-ssl + +[283-version-negotiation-ssl] +server = 283-version-negotiation-server +client = 283-version-negotiation-client + +[283-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[283-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-283] +ExpectedResult = ServerFail + + +# =========================================================== + +[284-version-negotiation] +ssl_conf = 284-version-negotiation-ssl + +[284-version-negotiation-ssl] +server = 284-version-negotiation-server +client = 284-version-negotiation-client + +[284-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[284-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-284] +ExpectedResult = ServerFail + + +# =========================================================== + +[285-version-negotiation] +ssl_conf = 285-version-negotiation-ssl + +[285-version-negotiation-ssl] +server = 285-version-negotiation-server +client = 285-version-negotiation-client + +[285-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[285-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-285] +ExpectedResult = ServerFail + + +# =========================================================== + +[286-version-negotiation] +ssl_conf = 286-version-negotiation-ssl + +[286-version-negotiation-ssl] +server = 286-version-negotiation-server +client = 286-version-negotiation-client + +[286-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[286-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-286] +ExpectedResult = ClientFail + + +# =========================================================== + +[287-version-negotiation] +ssl_conf = 287-version-negotiation-ssl + +[287-version-negotiation-ssl] +server = 287-version-negotiation-server +client = 287-version-negotiation-client + +[287-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[287-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-287] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[288-version-negotiation] +ssl_conf = 288-version-negotiation-ssl + +[288-version-negotiation-ssl] +server = 288-version-negotiation-server +client = 288-version-negotiation-client + +[288-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[288-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-288] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[289-version-negotiation] +ssl_conf = 289-version-negotiation-ssl + +[289-version-negotiation-ssl] +server = 289-version-negotiation-server +client = 289-version-negotiation-client + +[289-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[289-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-289] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[290-version-negotiation] +ssl_conf = 290-version-negotiation-ssl + +[290-version-negotiation-ssl] +server = 290-version-negotiation-server +client = 290-version-negotiation-client + +[290-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[290-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-290] +ExpectedResult = ServerFail + + +# =========================================================== + +[291-version-negotiation] +ssl_conf = 291-version-negotiation-ssl + +[291-version-negotiation-ssl] +server = 291-version-negotiation-server +client = 291-version-negotiation-client + +[291-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[291-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-291] +ExpectedResult = ClientFail + + +# =========================================================== + +[292-version-negotiation] +ssl_conf = 292-version-negotiation-ssl + +[292-version-negotiation-ssl] +server = 292-version-negotiation-server +client = 292-version-negotiation-client + +[292-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[292-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-292] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[293-version-negotiation] +ssl_conf = 293-version-negotiation-ssl + +[293-version-negotiation-ssl] +server = 293-version-negotiation-server +client = 293-version-negotiation-client + +[293-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[293-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-293] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[294-version-negotiation] +ssl_conf = 294-version-negotiation-ssl + +[294-version-negotiation-ssl] +server = 294-version-negotiation-server +client = 294-version-negotiation-client + +[294-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[294-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-294] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[295-version-negotiation] +ssl_conf = 295-version-negotiation-ssl + +[295-version-negotiation-ssl] +server = 295-version-negotiation-server +client = 295-version-negotiation-client + +[295-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[295-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-295] +ExpectedResult = ClientFail + + +# =========================================================== + +[296-version-negotiation] +ssl_conf = 296-version-negotiation-ssl + +[296-version-negotiation-ssl] +server = 296-version-negotiation-server +client = 296-version-negotiation-client + +[296-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[296-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-296] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[297-version-negotiation] +ssl_conf = 297-version-negotiation-ssl + +[297-version-negotiation-ssl] +server = 297-version-negotiation-server +client = 297-version-negotiation-client + +[297-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[297-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-297] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[298-version-negotiation] +ssl_conf = 298-version-negotiation-ssl + +[298-version-negotiation-ssl] +server = 298-version-negotiation-server +client = 298-version-negotiation-client + +[298-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[298-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-298] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[299-version-negotiation] +ssl_conf = 299-version-negotiation-ssl + +[299-version-negotiation-ssl] +server = 299-version-negotiation-server +client = 299-version-negotiation-client + +[299-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[299-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-299] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[300-version-negotiation] +ssl_conf = 300-version-negotiation-ssl + +[300-version-negotiation-ssl] +server = 300-version-negotiation-server +client = 300-version-negotiation-client + +[300-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[300-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-300] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[301-version-negotiation] +ssl_conf = 301-version-negotiation-ssl + +[301-version-negotiation-ssl] +server = 301-version-negotiation-server +client = 301-version-negotiation-client + +[301-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[301-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-301] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[302-version-negotiation] +ssl_conf = 302-version-negotiation-ssl + +[302-version-negotiation-ssl] +server = 302-version-negotiation-server +client = 302-version-negotiation-client + +[302-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[302-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-302] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[303-version-negotiation] +ssl_conf = 303-version-negotiation-ssl + +[303-version-negotiation-ssl] +server = 303-version-negotiation-server +client = 303-version-negotiation-client + +[303-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[303-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-303] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[304-version-negotiation] +ssl_conf = 304-version-negotiation-ssl + +[304-version-negotiation-ssl] +server = 304-version-negotiation-server +client = 304-version-negotiation-client + +[304-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[304-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-304] +ExpectedResult = ServerFail + + +# =========================================================== + +[305-version-negotiation] +ssl_conf = 305-version-negotiation-ssl + +[305-version-negotiation-ssl] +server = 305-version-negotiation-server +client = 305-version-negotiation-client + +[305-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[305-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-305] +ExpectedResult = ClientFail + + +# =========================================================== + +[306-version-negotiation] +ssl_conf = 306-version-negotiation-ssl + +[306-version-negotiation-ssl] +server = 306-version-negotiation-server +client = 306-version-negotiation-client + +[306-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[306-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-306] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[307-version-negotiation] +ssl_conf = 307-version-negotiation-ssl + +[307-version-negotiation-ssl] +server = 307-version-negotiation-server +client = 307-version-negotiation-client + +[307-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[307-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-307] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[308-version-negotiation] +ssl_conf = 308-version-negotiation-ssl + +[308-version-negotiation-ssl] +server = 308-version-negotiation-server +client = 308-version-negotiation-client + +[308-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[308-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-308] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[309-version-negotiation] +ssl_conf = 309-version-negotiation-ssl + +[309-version-negotiation-ssl] +server = 309-version-negotiation-server +client = 309-version-negotiation-client + +[309-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[309-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-309] +ExpectedResult = ServerFail + + +# =========================================================== + +[310-version-negotiation] +ssl_conf = 310-version-negotiation-ssl + +[310-version-negotiation-ssl] +server = 310-version-negotiation-server +client = 310-version-negotiation-client + +[310-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[310-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-310] +ExpectedResult = ClientFail + + +# =========================================================== + +[311-version-negotiation] +ssl_conf = 311-version-negotiation-ssl + +[311-version-negotiation-ssl] +server = 311-version-negotiation-server +client = 311-version-negotiation-client + +[311-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[311-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-311] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[312-version-negotiation] +ssl_conf = 312-version-negotiation-ssl + +[312-version-negotiation-ssl] +server = 312-version-negotiation-server +client = 312-version-negotiation-client + +[312-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[312-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-312] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[313-version-negotiation] +ssl_conf = 313-version-negotiation-ssl + +[313-version-negotiation-ssl] +server = 313-version-negotiation-server +client = 313-version-negotiation-client + +[313-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[313-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-313] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[314-version-negotiation] +ssl_conf = 314-version-negotiation-ssl + +[314-version-negotiation-ssl] +server = 314-version-negotiation-server +client = 314-version-negotiation-client + +[314-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[314-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-314] +ExpectedResult = ClientFail + + +# =========================================================== + +[315-version-negotiation] +ssl_conf = 315-version-negotiation-ssl + +[315-version-negotiation-ssl] +server = 315-version-negotiation-server +client = 315-version-negotiation-client + +[315-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[315-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-315] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[316-version-negotiation] +ssl_conf = 316-version-negotiation-ssl + +[316-version-negotiation-ssl] +server = 316-version-negotiation-server +client = 316-version-negotiation-client + +[316-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[316-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-316] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[317-version-negotiation] +ssl_conf = 317-version-negotiation-ssl + +[317-version-negotiation-ssl] +server = 317-version-negotiation-server +client = 317-version-negotiation-client + +[317-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[317-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-317] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[318-version-negotiation] +ssl_conf = 318-version-negotiation-ssl + +[318-version-negotiation-ssl] +server = 318-version-negotiation-server +client = 318-version-negotiation-client + +[318-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[318-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-318] +ExpectedResult = Success +Protocol = TLSv1.1 + + +# =========================================================== + +[319-version-negotiation] +ssl_conf = 319-version-negotiation-ssl + +[319-version-negotiation-ssl] +server = 319-version-negotiation-server +client = 319-version-negotiation-client + +[319-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[319-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-319] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[320-version-negotiation] +ssl_conf = 320-version-negotiation-ssl + +[320-version-negotiation-ssl] +server = 320-version-negotiation-server +client = 320-version-negotiation-client + +[320-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[320-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-320] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[321-version-negotiation] +ssl_conf = 321-version-negotiation-ssl + +[321-version-negotiation-ssl] +server = 321-version-negotiation-server +client = 321-version-negotiation-client + +[321-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[321-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-321] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[322-version-negotiation] +ssl_conf = 322-version-negotiation-ssl + +[322-version-negotiation-ssl] +server = 322-version-negotiation-server +client = 322-version-negotiation-client + +[322-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[322-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.1 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-322] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[323-version-negotiation] +ssl_conf = 323-version-negotiation-ssl + +[323-version-negotiation-ssl] +server = 323-version-negotiation-server +client = 323-version-negotiation-client + +[323-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[323-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-323] +ExpectedResult = ServerFail + + +# =========================================================== + +[324-version-negotiation] +ssl_conf = 324-version-negotiation-ssl + +[324-version-negotiation-ssl] +server = 324-version-negotiation-server +client = 324-version-negotiation-client + +[324-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[324-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-324] +ExpectedResult = ClientFail + + +# =========================================================== + +[325-version-negotiation] +ssl_conf = 325-version-negotiation-ssl + +[325-version-negotiation-ssl] +server = 325-version-negotiation-server +client = 325-version-negotiation-client + +[325-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[325-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-325] +ExpectedResult = ClientFail + + +# =========================================================== + +[326-version-negotiation] +ssl_conf = 326-version-negotiation-ssl + +[326-version-negotiation-ssl] +server = 326-version-negotiation-server +client = 326-version-negotiation-client + +[326-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[326-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-326] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[327-version-negotiation] +ssl_conf = 327-version-negotiation-ssl + +[327-version-negotiation-ssl] +server = 327-version-negotiation-server +client = 327-version-negotiation-client + +[327-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[327-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-327] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[328-version-negotiation] +ssl_conf = 328-version-negotiation-ssl + +[328-version-negotiation-ssl] +server = 328-version-negotiation-server +client = 328-version-negotiation-client + +[328-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[328-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-328] +ExpectedResult = ServerFail + + +# =========================================================== + +[329-version-negotiation] +ssl_conf = 329-version-negotiation-ssl + +[329-version-negotiation-ssl] +server = 329-version-negotiation-server +client = 329-version-negotiation-client + +[329-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[329-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-329] +ExpectedResult = ClientFail + + +# =========================================================== + +[330-version-negotiation] +ssl_conf = 330-version-negotiation-ssl + +[330-version-negotiation-ssl] +server = 330-version-negotiation-server +client = 330-version-negotiation-client + +[330-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[330-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-330] +ExpectedResult = ClientFail + + +# =========================================================== + +[331-version-negotiation] +ssl_conf = 331-version-negotiation-ssl + +[331-version-negotiation-ssl] +server = 331-version-negotiation-server +client = 331-version-negotiation-client + +[331-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[331-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-331] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[332-version-negotiation] +ssl_conf = 332-version-negotiation-ssl + +[332-version-negotiation-ssl] +server = 332-version-negotiation-server +client = 332-version-negotiation-client + +[332-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[332-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-332] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[333-version-negotiation] +ssl_conf = 333-version-negotiation-ssl + +[333-version-negotiation-ssl] +server = 333-version-negotiation-server +client = 333-version-negotiation-client + +[333-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[333-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-333] +ExpectedResult = ClientFail + + +# =========================================================== + +[334-version-negotiation] +ssl_conf = 334-version-negotiation-ssl + +[334-version-negotiation-ssl] +server = 334-version-negotiation-server +client = 334-version-negotiation-client + +[334-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[334-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-334] +ExpectedResult = ClientFail + + +# =========================================================== + +[335-version-negotiation] +ssl_conf = 335-version-negotiation-ssl + +[335-version-negotiation-ssl] +server = 335-version-negotiation-server +client = 335-version-negotiation-client + +[335-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[335-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-335] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[336-version-negotiation] +ssl_conf = 336-version-negotiation-ssl + +[336-version-negotiation-ssl] +server = 336-version-negotiation-server +client = 336-version-negotiation-client + +[336-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[336-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-336] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[337-version-negotiation] +ssl_conf = 337-version-negotiation-ssl + +[337-version-negotiation-ssl] +server = 337-version-negotiation-server +client = 337-version-negotiation-client + +[337-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[337-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-337] +ExpectedResult = ClientFail + + +# =========================================================== + +[338-version-negotiation] +ssl_conf = 338-version-negotiation-ssl + +[338-version-negotiation-ssl] +server = 338-version-negotiation-server +client = 338-version-negotiation-client + +[338-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[338-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-338] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[339-version-negotiation] +ssl_conf = 339-version-negotiation-ssl + +[339-version-negotiation-ssl] +server = 339-version-negotiation-server +client = 339-version-negotiation-client + +[339-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[339-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-339] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[340-version-negotiation] +ssl_conf = 340-version-negotiation-ssl + +[340-version-negotiation-ssl] +server = 340-version-negotiation-server +client = 340-version-negotiation-client + +[340-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[340-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-340] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[341-version-negotiation] +ssl_conf = 341-version-negotiation-ssl + +[341-version-negotiation-ssl] +server = 341-version-negotiation-server +client = 341-version-negotiation-client + +[341-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[341-version-negotiation-client] +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-341] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[342-version-negotiation] +ssl_conf = 342-version-negotiation-ssl + +[342-version-negotiation-ssl] +server = 342-version-negotiation-server +client = 342-version-negotiation-client + +[342-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[342-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-342] +ExpectedResult = ServerFail + + +# =========================================================== + +[343-version-negotiation] +ssl_conf = 343-version-negotiation-ssl + +[343-version-negotiation-ssl] +server = 343-version-negotiation-server +client = 343-version-negotiation-client + +[343-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[343-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-343] +ExpectedResult = ClientFail + + +# =========================================================== + +[344-version-negotiation] +ssl_conf = 344-version-negotiation-ssl + +[344-version-negotiation-ssl] +server = 344-version-negotiation-server +client = 344-version-negotiation-client + +[344-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[344-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-344] +ExpectedResult = ClientFail + + +# =========================================================== + +[345-version-negotiation] +ssl_conf = 345-version-negotiation-ssl + +[345-version-negotiation-ssl] +server = 345-version-negotiation-server +client = 345-version-negotiation-client + +[345-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[345-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-345] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[346-version-negotiation] +ssl_conf = 346-version-negotiation-ssl + +[346-version-negotiation-ssl] +server = 346-version-negotiation-server +client = 346-version-negotiation-client + +[346-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[346-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-346] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[347-version-negotiation] +ssl_conf = 347-version-negotiation-ssl + +[347-version-negotiation-ssl] +server = 347-version-negotiation-server +client = 347-version-negotiation-client + +[347-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = SSLv3 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[347-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-347] +ExpectedResult = ServerFail + + +# =========================================================== + +[348-version-negotiation] +ssl_conf = 348-version-negotiation-ssl + +[348-version-negotiation-ssl] +server = 348-version-negotiation-server +client = 348-version-negotiation-client + +[348-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[348-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-348] +ExpectedResult = ClientFail + + +# =========================================================== + +[349-version-negotiation] +ssl_conf = 349-version-negotiation-ssl + +[349-version-negotiation-ssl] +server = 349-version-negotiation-server +client = 349-version-negotiation-client + +[349-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[349-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-349] +ExpectedResult = ClientFail + + +# =========================================================== + +[350-version-negotiation] +ssl_conf = 350-version-negotiation-ssl + +[350-version-negotiation-ssl] +server = 350-version-negotiation-server +client = 350-version-negotiation-client + +[350-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[350-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-350] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[351-version-negotiation] +ssl_conf = 351-version-negotiation-ssl + +[351-version-negotiation-ssl] +server = 351-version-negotiation-server +client = 351-version-negotiation-client + +[351-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = SSLv3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[351-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-351] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[352-version-negotiation] +ssl_conf = 352-version-negotiation-ssl + +[352-version-negotiation-ssl] +server = 352-version-negotiation-server +client = 352-version-negotiation-client + +[352-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[352-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-352] +ExpectedResult = ClientFail + + +# =========================================================== + +[353-version-negotiation] +ssl_conf = 353-version-negotiation-ssl + +[353-version-negotiation-ssl] +server = 353-version-negotiation-server +client = 353-version-negotiation-client + +[353-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[353-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-353] +ExpectedResult = ClientFail + + +# =========================================================== + +[354-version-negotiation] +ssl_conf = 354-version-negotiation-ssl + +[354-version-negotiation-ssl] +server = 354-version-negotiation-server +client = 354-version-negotiation-client + +[354-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[354-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-354] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[355-version-negotiation] +ssl_conf = 355-version-negotiation-ssl + +[355-version-negotiation-ssl] +server = 355-version-negotiation-server +client = 355-version-negotiation-client + +[355-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[355-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-355] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[356-version-negotiation] +ssl_conf = 356-version-negotiation-ssl + +[356-version-negotiation-ssl] +server = 356-version-negotiation-server +client = 356-version-negotiation-client + +[356-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.1 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[356-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-356] +ExpectedResult = ClientFail + + +# =========================================================== + +[357-version-negotiation] +ssl_conf = 357-version-negotiation-ssl + +[357-version-negotiation-ssl] +server = 357-version-negotiation-server +client = 357-version-negotiation-client + +[357-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[357-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-357] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[358-version-negotiation] +ssl_conf = 358-version-negotiation-ssl + +[358-version-negotiation-ssl] +server = 358-version-negotiation-server +client = 358-version-negotiation-client + +[358-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.1 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[358-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-358] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[359-version-negotiation] +ssl_conf = 359-version-negotiation-ssl + +[359-version-negotiation-ssl] +server = 359-version-negotiation-server +client = 359-version-negotiation-client + +[359-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MaxProtocol = TLSv1.2 +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[359-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-359] +ExpectedResult = Success +Protocol = TLSv1.2 + + +# =========================================================== + +[360-version-negotiation] +ssl_conf = 360-version-negotiation-ssl + +[360-version-negotiation-ssl] +server = 360-version-negotiation-server +client = 360-version-negotiation-client + +[360-version-negotiation-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +MinProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + + +[360-version-negotiation-client] +CipherString = DEFAULT +MinProtocol = TLSv1.2 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + + +[test-360] +ExpectedResult = Success +Protocol = TLSv1.2 + + diff --git a/test/ssl-tests/02-protocol-version.conf.in b/test/ssl-tests/02-protocol-version.conf.in new file mode 100644 index 0000000..99b1dc0 --- /dev/null +++ b/test/ssl-tests/02-protocol-version.conf.in @@ -0,0 +1,115 @@ +# -*- mode: perl; -*- + +## Test version negotiation + +package ssltests; + +use List::Util qw/max min/; + +use OpenSSL::Test; +use OpenSSL::Test::Utils qw/anydisabled alldisabled/; +setup("no_test_here"); + +my @protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"); +# undef stands for "no limit". +my @min_protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"); +my @max_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", undef); + +my @is_disabled = anydisabled("ssl3", "tls1", "tls1_1", "tls1_2"); + +my $min_enabled; my $max_enabled; + +# Protocol configuration works in cascades, i.e., +# $no_tls1_1 disables TLSv1.1 and below. +# +# $min_enabled and $max_enabled will be correct if there is at least one +# protocol enabled. +foreach my $i (0..$#protocols) { + if (!$is_disabled[$i]) { + $min_enabled = $i; + last; + } +} + +foreach my $i (0..$#protocols) { + if (!$is_disabled[$i]) { + $max_enabled = $i; + } +} + +our @tests = (); + +sub generate_tests() { + foreach my $c_min (0..$#min_protocols) { + my $c_max_min = $c_min == 0 ? 0 : $c_min - 1; + foreach my $c_max ($c_max_min..$#max_protocols) { + foreach my $s_min (0..$#min_protocols) { + my $s_max_min = $s_min == 0 ? 0 : $s_min - 1; + foreach my $s_max ($s_max_min..$#max_protocols) { + my ($result, $protocol) = + expected_result($c_min, $c_max, $s_min, $s_max); + push @tests, { + "name" => "version-negotiation", + "client" => { + "MinProtocol" => $min_protocols[$c_min], + "MaxProtocol" => $max_protocols[$c_max], + }, + "server" => { + "MinProtocol" => $min_protocols[$s_min], + "MaxProtocol" => $max_protocols[$s_max], + }, + "test" => { + "ExpectedResult" => $result, + "Protocol" => $protocol + } + }; + } + } + } + } +} + +sub expected_result { + my $no_tls = alldisabled("ssl3", "tls1", "tls1_1", "tls1_2"); + if ($no_tls) { + return ("InternalError", undef); + } + + my ($c_min, $c_max, $s_min, $s_max) = @_; + + # Adjust for "undef" (no limit). + $c_min = $c_min == 0 ? 0 : $c_min - 1; + $c_max = $c_max == scalar(@max_protocols) - 1 ? $c_max - 1 : $c_max; + $s_min = $s_min == 0 ? 0 : $s_min - 1; + $s_max = $s_max == scalar(@max_protocols) - 1 ? $s_max - 1 : $s_max; + + # We now have at least one protocol enabled, so $min_enabled and + # $max_enabled are well-defined. + $c_min = max $c_min, $min_enabled; + $s_min = max $s_min, $min_enabled; + $c_max = min $c_max, $max_enabled; + $s_max = min $s_max, $max_enabled; + + if ($c_min > $c_max) { + # Client should fail to even send a hello. + # This results in an internal error since the server will be + # waiting for input that never arrives. + return ("InternalError", undef); + } elsif ($s_min > $s_max) { + # Server has no protocols, should always fail. + return ("ServerFail", undef); + } elsif ($s_min > $c_max) { + # Server doesn't support the client range. + return ("ServerFail", undef); + } elsif ($c_min > $s_max) { + # Server will try with a version that is lower than the lowest + # supported client version. + return ("ClientFail", undef); + } else { + # Server and client ranges overlap. + my $max_common = $s_max < $c_max ? $s_max : $c_max; + return ("Success", $protocols[$max_common]); + } +} + +generate_tests(); diff --git a/test/ssl-tests/ssltests_base.pm b/test/ssl-tests/ssltests_base.pm new file mode 100644 index 0000000..05aab97 --- /dev/null +++ b/test/ssl-tests/ssltests_base.pm @@ -0,0 +1,17 @@ +# -*- mode: perl; -*- + +## SSL test configurations + +package ssltests; + +our %base_server = ( + "Certificate" => "\${ENV::TEST_CERTS_DIR}/servercert.pem", + "PrivateKey" => "\${ENV::TEST_CERTS_DIR}/serverkey.pem", + "CipherString" => "DEFAULT", +); + +our %base_client = ( + "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}/rootcert.pem", + "VerifyMode" => "Peer", + "CipherString" => "DEFAULT", +); diff --git a/test/ssl_test.c b/test/ssl_test.c new file mode 100644 index 0000000..01ce5d5 --- /dev/null +++ b/test/ssl_test.c @@ -0,0 +1,217 @@ +/* + * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL licenses, (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * https://www.openssl.org/source/license.html + * or in the file LICENSE in the source distribution. + */ + +#include + +#include +#include +#include + +#include "handshake_helper.h" +#include "ssl_test_ctx.h" +#include "testutil.h" + +static CONF *conf = NULL; + +/* Currently the section names are of the form test-, e.g. test-15. */ +#define MAX_TESTCASE_NAME_LENGTH 100 + +typedef struct ssl_test_ctx_test_fixture { + const char *test_case_name; + char test_app[MAX_TESTCASE_NAME_LENGTH]; +} SSL_TEST_FIXTURE; + +static SSL_TEST_FIXTURE set_up(const char *const test_case_name) +{ + SSL_TEST_FIXTURE fixture; + fixture.test_case_name = test_case_name; + return fixture; +} + +static const char *print_alert(int alert) +{ + return alert ? SSL_alert_desc_string_long(alert) : "no alert"; +} + +static int check_result(HANDSHAKE_RESULT result, SSL_TEST_CTX *test_ctx) +{ + if (result.result != test_ctx->expected_result) { + fprintf(stderr, "ExpectedResult mismatch: expected %s, got %s.\n", + ssl_test_result_t_name(test_ctx->expected_result), + ssl_test_result_t_name(result.result)); + return 0; + } + return 1; +} + +static int check_alerts(HANDSHAKE_RESULT result, SSL_TEST_CTX *test_ctx) +{ + if (result.client_alert_sent != result.client_alert_received) { + fprintf(stderr, "Client sent alert %s but server received %s\n.", + print_alert(result.client_alert_sent), + print_alert(result.client_alert_received)); + /* + * We can't bail here because the peer doesn't always get far enough + * to process a received alert. Specifically, in protocol version + * negotiation tests, we have the following scenario. + * Client supports TLS v1.2 only; Server supports TLS v1.1. + * Client proposes TLS v1.2; server responds with 1.1; + * Client now sends a protocol alert, using TLS v1.2 in the header. + * The server, however, rejects the alert because of version mismatch + * in the record layer; therefore, the server appears to never + * receive the alert. + */ + /* return 0; */ + } + + if (result.server_alert_sent != result.server_alert_received) { + fprintf(stderr, "Server sent alert %s but client received %s\n.", + print_alert(result.server_alert_sent), + print_alert(result.server_alert_received)); + /* return 0; */ + } + + /* Tolerate an alert if one wasn't explicitly specified in the test. */ + if (test_ctx->client_alert + /* + * The info callback alert value is computed as + * (s->s3->send_alert[0] << 8) | s->s3->send_alert[1] + * where the low byte is the alert code and the high byte is other stuff. + */ + && (result.client_alert_sent & 0xff) != test_ctx->client_alert) { + fprintf(stderr, "ClientAlert mismatch: expected %s, got %s.\n", + print_alert(test_ctx->client_alert), + print_alert(result.client_alert_sent)); + return 0; + } + + if (test_ctx->server_alert + && (result.server_alert_sent & 0xff) != test_ctx->server_alert) { + fprintf(stderr, "ServerAlert mismatch: expected %s, got %s.\n", + print_alert(test_ctx->server_alert), + print_alert(result.server_alert_sent)); + return 0; + } + + return 1; +} + +static int check_protocol(HANDSHAKE_RESULT result, SSL_TEST_CTX *test_ctx) +{ + if (result.client_protocol != result.server_protocol) { + fprintf(stderr, "Client has protocol %s but server has %s\n.", + ssl_protocol_name(result.client_protocol), + ssl_protocol_name(result.server_protocol)); + return 0; + } + + if (test_ctx->protocol) { + if (result.client_protocol != test_ctx->protocol) { + fprintf(stderr, "Protocol mismatch: expected %s, got %s.\n", + ssl_protocol_name(test_ctx->protocol), + ssl_protocol_name(result.client_protocol)); + return 0; + } + } + return 1; +} + +/* + * This could be further simplified by constructing an expected + * HANDSHAKE_RESULT, and implementing comparison methods for + * its fields. + */ +static int check_test(HANDSHAKE_RESULT result, SSL_TEST_CTX *test_ctx) +{ + int ret = 1; + ret &= check_result(result, test_ctx); + ret &= check_alerts(result, test_ctx); + if (result.result == SSL_TEST_SUCCESS) + ret &= check_protocol(result, test_ctx); + return ret; +} + +static int execute_test(SSL_TEST_FIXTURE fixture) +{ + /* TODO(emilia): this is confusing. Flip to return 1 on success. */ + int ret = 1; + SSL_CTX *server_ctx = NULL, *client_ctx = NULL; + SSL_TEST_CTX *test_ctx = NULL; + HANDSHAKE_RESULT result; + + server_ctx = SSL_CTX_new(TLS_server_method()); + client_ctx = SSL_CTX_new(TLS_client_method()); + OPENSSL_assert(server_ctx != NULL && client_ctx != NULL); + + OPENSSL_assert(CONF_modules_load(conf, fixture.test_app, 0) > 0); + + if (!SSL_CTX_config(server_ctx, "server") + || !SSL_CTX_config(client_ctx, "client")) { + goto err; + } + + test_ctx = SSL_TEST_CTX_create(conf, fixture.test_app); + if (test_ctx == NULL) + goto err; + + result = do_handshake(server_ctx, client_ctx); + + if (check_test(result, test_ctx)) + ret = 0; + +err: + CONF_modules_unload(0); + SSL_CTX_free(server_ctx); + SSL_CTX_free(client_ctx); + SSL_TEST_CTX_free(test_ctx); + if (ret != 0) + ERR_print_errors_fp(stderr); + return ret; +} + +static void tear_down(SSL_TEST_FIXTURE fixture) +{ +} + +#define SETUP_SSL_TEST_FIXTURE() \ + SETUP_TEST_FIXTURE(SSL_TEST_FIXTURE, set_up) +#define EXECUTE_SSL_TEST() \ + EXECUTE_TEST(execute_test, tear_down) + +static int test_handshake(int idx) +{ + SETUP_SSL_TEST_FIXTURE(); + snprintf(fixture.test_app, sizeof(fixture.test_app), + "test-%d", idx); + EXECUTE_SSL_TEST(); +} + +int main(int argc, char **argv) +{ + int result = 0; + long num_tests; + + if (argc != 2) + return 1; + + conf = NCONF_new(NULL); + OPENSSL_assert(conf != NULL); + + /* argv[1] should point to the test conf file */ + OPENSSL_assert(NCONF_load(conf, argv[1], NULL) > 0); + + OPENSSL_assert(NCONF_get_number_e(conf, NULL, "num_tests", &num_tests)); + + ADD_ALL_TESTS(test_handshake, (int)(num_tests)); + result = run_tests(argv[0]); + + CONF_modules_free(); + return result; +} diff --git a/test/ssl_test.tmpl b/test/ssl_test.tmpl new file mode 100644 index 0000000..b3c953a --- /dev/null +++ b/test/ssl_test.tmpl @@ -0,0 +1,27 @@ +[{-$testname-}] +ssl_conf = {-$testname-}-ssl + +[{-$testname-}-ssl] +server = {-$testname-}-server +client = {-$testname-}-client + +[{-$testname-}-server] +{- + foreach my $key (sort keys %server) { + $OUT .= qq{$key} . " = " . qq{$server{$key}\n} if defined $server{$key}; + } +-} + +[{-$testname-}-client] +{- + foreach my $key (sort keys %client) { + $OUT .= qq{$key} . " = " . qq{$client{$key}\n} if defined $client{$key}; + } +-} + +[test-{-$idx-}] +{- + foreach my $key (sort keys %test) { + $OUT .= qq{$key} ." = " . qq{$test{$key}\n} if defined $test{$key}; + } +-} diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c new file mode 100644 index 0000000..0c1bbbd --- /dev/null +++ b/test/ssl_test_ctx.c @@ -0,0 +1,205 @@ +/* + * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL licenses, (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * https://www.openssl.org/source/license.html + * or in the file LICENSE in the source distribution. + */ + +#include + +#include +#include + +#include "e_os.h" +#include "ssl_test_ctx.h" + +/* True enums and other test configuration values that map to an int. */ +typedef struct { + const char *name; + int value; +} test_enum; + + +__owur static int parse_enum(const test_enum *enums, size_t num_enums, + int *value, const char *name) +{ + size_t i; + for (i = 0; i < num_enums; i++) { + if (strcmp(enums[i].name, name) == 0) { + *value = enums[i].value; + return 1; + } + } + return 0; +} + +static const char *enum_name(const test_enum *enums, size_t num_enums, + int value) +{ + size_t i; + for (i = 0; i < num_enums; i++) { + if (enums[i].value == value) { + return enums[i].name; + } + } + return "InvalidValue"; +} + + +/*******************/ +/* ExpectedResult. */ +/*******************/ + +static const test_enum ssl_test_results[] = { + {"Success", SSL_TEST_SUCCESS}, + {"ServerFail", SSL_TEST_SERVER_FAIL}, + {"ClientFail", SSL_TEST_CLIENT_FAIL}, + {"InternalError", SSL_TEST_INTERNAL_ERROR}, +}; + +__owur static int parse_expected_result(SSL_TEST_CTX *test_ctx, const char *value) +{ + int ret_value; + if (!parse_enum(ssl_test_results, OSSL_NELEM(ssl_test_results), + &ret_value, value)) { + return 0; + } + test_ctx->expected_result = ret_value; + return 1; +} + +const char *ssl_test_result_t_name(ssl_test_result_t result) +{ + return enum_name(ssl_test_results, OSSL_NELEM(ssl_test_results), result); +} + +/******************************/ +/* ClientAlert / ServerAlert. */ +/******************************/ + +static const test_enum ssl_alerts[] = { + {"UnknownCA", SSL_AD_UNKNOWN_CA}, +}; + +__owur static int parse_alert(int *alert, const char *value) +{ + return parse_enum(ssl_alerts, OSSL_NELEM(ssl_alerts), alert, value); +} + +__owur static int parse_client_alert(SSL_TEST_CTX *test_ctx, const char *value) +{ + return parse_alert(&test_ctx->client_alert, value); +} + +__owur static int parse_server_alert(SSL_TEST_CTX *test_ctx, const char *value) +{ + return parse_alert(&test_ctx->server_alert, value); +} + +const char *ssl_alert_name(int alert) +{ + return enum_name(ssl_alerts, OSSL_NELEM(ssl_alerts), alert); +} + +/************/ +/* Protocol */ +/************/ + +static const test_enum ssl_protocols[] = { + {"TLSv1.2", TLS1_2_VERSION}, + {"TLSv1.1", TLS1_1_VERSION}, + {"TLSv1", TLS1_VERSION}, + {"SSLv3", SSL3_VERSION}, +}; + +__owur static int parse_protocol(SSL_TEST_CTX *test_ctx, const char *value) +{ + return parse_enum(ssl_protocols, OSSL_NELEM(ssl_protocols), + &test_ctx->protocol, value); +} + +const char *ssl_protocol_name(int protocol) +{ + return enum_name(ssl_protocols, OSSL_NELEM(ssl_protocols), protocol); +} + + +/*************************************************************/ +/* Known test options and their corresponding parse methods. */ +/*************************************************************/ + +typedef struct { + const char *name; + int (*parse)(SSL_TEST_CTX *test_ctx, const char *value); +} ssl_test_ctx_option; + +static const ssl_test_ctx_option ssl_test_ctx_options[] = { + { "ExpectedResult", &parse_expected_result }, + { "ClientAlert", &parse_client_alert }, + { "ServerAlert", &parse_server_alert }, + { "Protocol", &parse_protocol }, +}; + + +/* + * Since these methods are used to create tests, we use OPENSSL_assert liberally + * for malloc failures and other internal errors. + */ +SSL_TEST_CTX *SSL_TEST_CTX_new() +{ + SSL_TEST_CTX *ret; + ret = OPENSSL_zalloc(sizeof(*ret)); + OPENSSL_assert(ret != NULL); + ret->expected_result = SSL_TEST_SUCCESS; + return ret; +} + +void SSL_TEST_CTX_free(SSL_TEST_CTX *ctx) +{ + OPENSSL_free(ctx); +} + +SSL_TEST_CTX *SSL_TEST_CTX_create(const CONF *conf, const char *test_section) +{ + STACK_OF(CONF_VALUE) *sk_conf; + SSL_TEST_CTX *ctx; + int i; + size_t j; + + sk_conf = NCONF_get_section(conf, test_section); + OPENSSL_assert(sk_conf != NULL); + + ctx = SSL_TEST_CTX_new(); + OPENSSL_assert(ctx != NULL); + + for (i = 0; i < sk_CONF_VALUE_num(sk_conf); i++) { + int found = 0; + const CONF_VALUE *option = sk_CONF_VALUE_value(sk_conf, i); + for (j = 0; j < OSSL_NELEM(ssl_test_ctx_options); j++) { + if (strcmp(option->name, ssl_test_ctx_options[j].name) == 0) { + if (!ssl_test_ctx_options[j].parse(ctx, option->value)) { + fprintf(stderr, "Bad value %s for option %s\n", + option->value, option->name); + goto err; + } + found = 1; + break; + } + } + if (!found) { + fprintf(stderr, "Unknown test option: %s\n", option->name); + goto err; + } + } + + goto done; + + err: + SSL_TEST_CTX_free(ctx); + ctx = NULL; + done: + return ctx; +} diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h new file mode 100644 index 0000000..a183272 --- /dev/null +++ b/test/ssl_test_ctx.h @@ -0,0 +1,53 @@ +/* + * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL licenses, (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * https://www.openssl.org/source/license.html + * or in the file LICENSE in the source distribution. + */ + +#ifndef HEADER_SSL_TEST_CTX_H +#define HEADER_SSL_TEST_CTX_H + +#include +#include + +typedef enum { + SSL_TEST_SUCCESS, /* Default */ + SSL_TEST_SERVER_FAIL, + SSL_TEST_CLIENT_FAIL, + SSL_TEST_INTERNAL_ERROR +} ssl_test_result_t; + +typedef struct ssl_test_ctx { + /* Test expectations. */ + /* Defaults to SUCCESS. */ + ssl_test_result_t expected_result; + /* Alerts. 0 if no expectation. */ + /* See ssl.h for alert codes. */ + /* Alert sent by the client / received by the server. */ + int client_alert; + /* Alert sent by the server / received by the client. */ + int server_alert; + /* Negotiated protocol version. 0 if no expectation. */ + /* See ssl.h for protocol versions. */ + int protocol; +} SSL_TEST_CTX; + +const char *ssl_test_result_t_name(ssl_test_result_t result); +const char *ssl_alert_name(int alert); +const char *ssl_protocol_name(int protocol); + +/* + * Load the test case context from |conf|. + * See test/README.ssl_test for details on the conf file format. + */ +SSL_TEST_CTX *SSL_TEST_CTX_create(const CONF *conf, const char *test_section); + +SSL_TEST_CTX *SSL_TEST_CTX_new(void); + +void SSL_TEST_CTX_free(SSL_TEST_CTX *ctx); + +#endif /* HEADER_SSL_TEST_CTX_H */ diff --git a/test/ssl_test_ctx_test.c b/test/ssl_test_ctx_test.c new file mode 100644 index 0000000..d933f2b --- /dev/null +++ b/test/ssl_test_ctx_test.c @@ -0,0 +1,179 @@ +/* + * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL licenses, (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * https://www.openssl.org/source/license.html + * or in the file LICENSE in the source distribution. + */ + +/* + * Ideally, CONF should offer standard parsing methods and cover them + * in tests. But since we have no CONF tests, we use a custom test for now. + */ + +#include + +#include "e_os.h" +#include "ssl_test_ctx.h" +#include "testutil.h" +#include +#include +#include +#include + +static CONF *conf = NULL; + +typedef struct ssl_test_ctx_test_fixture { + const char *test_case_name; + const char *test_section; + /* Expected parsed configuration. */ + SSL_TEST_CTX *expected_ctx; +} SSL_TEST_CTX_TEST_FIXTURE; + +/* Returns 1 if the contexts are equal, 0 otherwise. */ +static int SSL_TEST_CTX_equal(SSL_TEST_CTX *ctx, SSL_TEST_CTX *ctx2) +{ + if (ctx->expected_result != ctx2->expected_result) { + fprintf(stderr, "ExpectedResult mismatch: %s vs %s.\n", + ssl_test_result_t_name(ctx->expected_result), + ssl_test_result_t_name(ctx2->expected_result)); + return 0; + } + if (ctx->client_alert != ctx2->client_alert) { + fprintf(stderr, "ClientAlert mismatch: %s vs %s.\n", + ssl_alert_name(ctx->expected_result), + ssl_alert_name(ctx2->expected_result)); + return 0; + } + if (ctx->server_alert != ctx2->server_alert) { + fprintf(stderr, "ServerAlert mismatch: %s vs %s.\n", + ssl_alert_name(ctx->expected_result), + ssl_alert_name(ctx2->expected_result)); + return 0; + } + if (ctx->protocol != ctx2->protocol) { + fprintf(stderr, "ClientAlert mismatch: %s vs %s.\n", + ssl_protocol_name(ctx->expected_result), + ssl_protocol_name(ctx2->expected_result)); + return 0; + } + + return 1; +} + +static SSL_TEST_CTX_TEST_FIXTURE set_up(const char *const test_case_name) +{ + SSL_TEST_CTX_TEST_FIXTURE fixture; + fixture.test_case_name = test_case_name; + fixture.expected_ctx = SSL_TEST_CTX_new(); + OPENSSL_assert(fixture.expected_ctx != NULL); + return fixture; +} + +static int execute_test(SSL_TEST_CTX_TEST_FIXTURE fixture) +{ + int ret = 1; + + SSL_TEST_CTX *ctx = SSL_TEST_CTX_create(conf, fixture.test_section); + + if (ctx == NULL) { + fprintf(stderr, "Failed to parse good configuration %s.\n", + fixture.test_section); + goto err; + } + + if (!SSL_TEST_CTX_equal(ctx, fixture.expected_ctx)) + goto err; + + ret = 0; + err: + SSL_TEST_CTX_free(ctx); + return ret; +} + +static int execute_failure_test(SSL_TEST_CTX_TEST_FIXTURE fixture) +{ + SSL_TEST_CTX *ctx = SSL_TEST_CTX_create(conf, fixture.test_section); + + if (ctx != NULL) { + fprintf(stderr, "Parsing bad configuration %s succeeded.\n", + fixture.test_section); + SSL_TEST_CTX_free(ctx); + return 1; + } + + return 0; +} + +static void tear_down(SSL_TEST_CTX_TEST_FIXTURE fixture) +{ + SSL_TEST_CTX_free(fixture.expected_ctx); + ERR_print_errors_fp(stderr); +} + +#define SETUP_SSL_TEST_CTX_TEST_FIXTURE() \ + SETUP_TEST_FIXTURE(SSL_TEST_CTX_TEST_FIXTURE, set_up) +#define EXECUTE_SSL_TEST_CTX_TEST() \ + EXECUTE_TEST(execute_test, tear_down) +#define EXECUTE_SSL_TEST_CTX_FAILURE_TEST() \ + EXECUTE_TEST(execute_failure_test, tear_down) + +static int test_empty_configuration() +{ + SETUP_SSL_TEST_CTX_TEST_FIXTURE(); + fixture.test_section = "ssltest_default"; + fixture.expected_ctx->expected_result = SSL_TEST_SUCCESS; + EXECUTE_SSL_TEST_CTX_TEST(); +} + +static int test_good_configuration() +{ + SETUP_SSL_TEST_CTX_TEST_FIXTURE(); + fixture.test_section = "ssltest_good"; + fixture.expected_ctx->expected_result = SSL_TEST_SERVER_FAIL; + fixture.expected_ctx->client_alert = SSL_AD_UNKNOWN_CA; + fixture.expected_ctx->server_alert = 0; /* No alert. */ + fixture.expected_ctx->protocol = TLS1_1_VERSION; + EXECUTE_SSL_TEST_CTX_TEST(); +} + +static const char *bad_configurations[] = { + "ssltest_unknown_option", + "ssltest_unknown_expected_result", + "ssltest_unknown_alert", + "ssltest_unknown_protocol", +}; + +static int test_bad_configuration(int idx) +{ + SETUP_SSL_TEST_CTX_TEST_FIXTURE(); + fixture.test_section = bad_configurations[idx]; + EXECUTE_SSL_TEST_CTX_FAILURE_TEST(); +} + +int main(int argc, char **argv) +{ + int result = 0; + + if (argc != 2) + return 1; + + conf = NCONF_new(NULL); + OPENSSL_assert(conf != NULL); + + /* argv[1] should point to test/ssl_test_ctx_test.conf */ + OPENSSL_assert(NCONF_load(conf, argv[1], NULL) > 0); + + + ADD_TEST(test_empty_configuration); + ADD_TEST(test_good_configuration); + ADD_ALL_TESTS(test_bad_configuration, OSSL_NELEM(bad_configurations)); + + result = run_tests(argv[0]); + + NCONF_free(conf); + + return result; +} diff --git a/test/ssl_test_ctx_test.conf b/test/ssl_test_ctx_test.conf new file mode 100644 index 0000000..2e6800e --- /dev/null +++ b/test/ssl_test_ctx_test.conf @@ -0,0 +1,18 @@ +[ssltest_default] + +[ssltest_good] +ExpectedResult = ServerFail +ClientAlert = UnknownCA +Protocol = TLSv1.1 + +[ssltest_unknown_option] +UnknownOption = Foo + +[ssltest_unknown_expected_result] +ExpectedResult = Foo + +[ssltest_unknown_alert] +ServerAlert = Foo + +[ssltest_unknown_protocol] +Protocol = Foo diff --git a/test/testutil.c b/test/testutil.c index de5598c..ccb6248 100644 --- a/test/testutil.c +++ b/test/testutil.c @@ -68,37 +68,70 @@ typedef struct test_info { const char *test_case_name; int (*test_fn) (); + int (*param_test_fn)(int idx); + int num; } TEST_INFO; static TEST_INFO all_tests[1024]; static int num_tests = 0; +/* + * A parameterised tests runs a loop of test cases. + * |num_test_cases| counts the total number of test cases + * across all tests. + */ +static int num_test_cases = 0; void add_test(const char *test_case_name, int (*test_fn) ()) { assert(num_tests != OSSL_NELEM(all_tests)); all_tests[num_tests].test_case_name = test_case_name; all_tests[num_tests].test_fn = test_fn; + all_tests[num_tests].num = -1; + ++num_test_cases; + ++num_tests; +} + +void add_all_tests(const char *test_case_name, int(*test_fn)(int idx), + int num) +{ + assert(num_tests != OSSL_NELEM(all_tests)); + all_tests[num_tests].test_case_name = test_case_name; + all_tests[num_tests].param_test_fn = test_fn; + all_tests[num_tests].num = num; ++num_tests; + num_test_cases += num; } int run_tests(const char *test_prog_name) { int num_failed = 0; - int i = 0; - printf("%s: %d test case%s\n", test_prog_name, num_tests, - num_tests == 1 ? "" : "s"); + int i, j; + + printf("%s: %d test case%s\n", test_prog_name, num_test_cases, + num_test_cases == 1 ? "" : "s"); + for (i = 0; i != num_tests; ++i) { - if (all_tests[i].test_fn()) { - printf("** %s failed **\n--------\n", - all_tests[i].test_case_name); - ++num_failed; + if (all_tests[i].num == -1) { + if (all_tests[i].test_fn()) { + printf("** %s failed **\n--------\n", + all_tests[i].test_case_name); + ++num_failed; + } + } else { + for (j = 0; j < all_tests[i].num; j++) { + if (all_tests[i].param_test_fn(j)) { + printf("** %s failed test %d\n--------\n", + all_tests[i].test_case_name, j); + ++num_failed; + } + } } } if (num_failed != 0) { printf("%s: %d test%s failed (out of %d)\n", test_prog_name, - num_failed, num_failed != 1 ? "s" : "", num_tests); + num_failed, num_failed != 1 ? "s" : "", num_test_cases); return EXIT_FAILURE; } printf(" All tests passed.\n"); diff --git a/test/testutil.h b/test/testutil.h index 3a44292..ba54ac1 100644 --- a/test/testutil.h +++ b/test/testutil.h @@ -90,8 +90,8 @@ * } */ # define SETUP_TEST_FIXTURE(TEST_FIXTURE_TYPE, set_up)\ - TEST_FIXTURE_TYPE fixture = set_up(TEST_CASE_NAME);\ - int result = 0 + TEST_FIXTURE_TYPE fixture = set_up(TEST_CASE_NAME); \ + int result = 0 # define EXECUTE_TEST(execute_func, tear_down)\ if (execute_func(fixture) != 0) result = 1;\ @@ -120,7 +120,16 @@ * returned from run_tests() should be used as the return value for main(). */ # define ADD_TEST(test_function) add_test(#test_function, test_function) + +/* + * Simple parameterized tests. Adds a test_function(idx) test for each + * 0 <= idx < num. + */ +# define ADD_ALL_TESTS(test_function, num) \ + add_all_tests(#test_function, test_function, num) + void add_test(const char *test_case_name, int (*test_fn) ()); +void add_all_tests(const char *test_case_name, int (*test_fn)(int idx), int num); int run_tests(const char *test_prog_name); #endif /* HEADER_TESTUTIL_H */ From builds at travis-ci.org Tue Apr 5 12:22:39 2016 From: builds at travis-ci.org (Travis CI) Date: Tue, 05 Apr 2016 12:22:39 +0000 Subject: [openssl-commits] Errored: openssl/openssl#3249 (master - 453dfd8) In-Reply-To: Message-ID: <5703ae0ea2461_33fa40d43a2c417082e@b304e791-25ca-4b3e-9dc9-df3fb10d1118.mail> Build Update for openssl/openssl ------------------------------------- Build: #3249 Status: Errored Duration: 29 minutes and 23 seconds Commit: 453dfd8 (master) Author: Emilia Kasper Message: New SSL test framework Currently, SSL tests are configured via command-line switches to ssltest.c. This results in a lot of duplication between ssltest.c and apps, and a complex setup. ssltest.c is also simply old and needs maintenance. Instead, we already have a way to configure SSL servers and clients, so we leverage that. SSL tests can now be configured from a configuration file. Test servers and clients are configured using the standard ssl_conf module. Additional test settings are configured via a test configuration. Moreover, since the CONF language involves unnecessary boilerplate, the test conf itself is generated from a shorter Perl syntax. The generated testcase files are checked in to the repo to make it easier to verify that the intended test cases are in fact run; and to simplify debugging failures. To demonstrate the approach, min/max protocol tests are converted to the new format. This change also fixes MinProtocol and MaxProtocol handling. It was previously requested that an SSL_CTX have both the server and client flags set for these commands; this clearly can never work. Guide to this PR: - test/ssl_test.c - test framework - test/ssl_test_ctx.* - test configuration structure - test/handshake_helper.* - new SSL test handshaking code - test/ssl-tests/ - test configurations - test/generate_ssl_tests.pl - script for generating CONF-style test configurations from perl inputs Reviewed-by: Richard Levitte View the changeset: https://github.com/openssl/openssl/compare/173f613b6a90...453dfd8d5ee0 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120872442 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Apr 5 12:43:10 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 12:43:10 +0000 Subject: [openssl-commits] Build failed: openssl master.2567 Message-ID: <20160405124217.62151.23198.E68BA6B7@appveyor.com> An HTML attachment was scrubbed... URL: From steve at openssl.org Tue Apr 5 13:24:34 2016 From: steve at openssl.org (Dr. Stephen Henson) Date: Tue, 05 Apr 2016 13:24:34 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459862674.936906.11007.nullmailer@dev.openssl.org> The branch master has been updated via 6e863f07376e1c8ae7c89477234db50838784d99 (commit) from 453dfd8d5ee0893146e0fb61a5978ab59ba95c01 (commit) - Log ----------------------------------------------------------------- commit 6e863f07376e1c8ae7c89477234db50838784d99 Author: Dr. Stephen Henson Date: Tue Apr 5 14:06:28 2016 +0100 fix memory leak in ca Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: apps/ca.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/ca.c b/apps/ca.c index cc74c5b..d2990a5 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1788,7 +1788,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if (!X509_set_subject_name(ret, subject)) goto end; - pktmp = X509_REQ_get_pubkey(req); + pktmp = X509_REQ_get0_pubkey(req); i = X509_set_pubkey(ret, pktmp); if (!i) goto end; From no-reply at appveyor.com Tue Apr 5 13:31:25 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 13:31:25 +0000 Subject: [openssl-commits] Build failed: openssl master.2568 Message-ID: <20160405133125.9982.65849.0AFD3287@appveyor.com> An HTML attachment was scrubbed... URL: From builds at travis-ci.org Tue Apr 5 13:56:24 2016 From: builds at travis-ci.org (Travis CI) Date: Tue, 05 Apr 2016 13:56:24 +0000 Subject: [openssl-commits] Errored: openssl/openssl#3252 (master - 6e863f0) In-Reply-To: Message-ID: <5703c406b0de3_33fa40d435e7c319047@b304e791-25ca-4b3e-9dc9-df3fb10d1118.mail> Build Update for openssl/openssl ------------------------------------- Build: #3252 Status: Errored Duration: 31 minutes and 9 seconds Commit: 6e863f0 (master) Author: Dr. Stephen Henson Message: fix memory leak in ca Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/453dfd8d5ee0...6e863f07376e View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120889838 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Apr 5 14:20:44 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 14:20:44 +0000 Subject: [openssl-commits] Build failed: openssl master.2569 Message-ID: <20160405142011.94566.40267.9FE475C4@appveyor.com> An HTML attachment was scrubbed... URL: From emilia at openssl.org Tue Apr 5 15:06:40 2016 From: emilia at openssl.org (Emilia Kasper) Date: Tue, 05 Apr 2016 15:06:40 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459868800.624174.12378.nullmailer@dev.openssl.org> The branch master has been updated via ababe86b9674dca24ffb6b342fe7af852cf53466 (commit) from 6e863f07376e1c8ae7c89477234db50838784d99 (commit) - Log ----------------------------------------------------------------- commit ababe86b9674dca24ffb6b342fe7af852cf53466 Author: Emilia Kasper Date: Tue Apr 5 14:29:06 2016 +0200 testutil: return 1 on success Require that test methods return 1 on success (not 0). This is more customary for OpenSSL. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: test/ct_test.c | 34 ++++++++++------------------------ test/d2i_test.c | 6 +++--- test/ssl_test.c | 8 +++----- test/ssl_test_ctx_test.c | 10 +++++----- test/testutil.c | 4 ++-- test/testutil.h | 4 ++-- 6 files changed, 25 insertions(+), 41 deletions(-) diff --git a/test/ct_test.c b/test/ct_test.c index 16855df..ce417ab 100644 --- a/test/ct_test.c +++ b/test/ct_test.c @@ -266,7 +266,7 @@ end: static int execute_cert_test(CT_TEST_FIXTURE fixture) { - int test_failed = 0; + int success = 0; X509 *cert = NULL, *issuer = NULL; STACK_OF(SCT) *scts = NULL; SCT *sct = NULL; @@ -282,7 +282,6 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture) CT_TEST_MAX_FILE_SIZE - 1); if (sct_text_len < 0) { - test_failed = 1; fprintf(stderr, "Test data file not found: %s\n", fixture.sct_text_file); goto end; @@ -299,7 +298,6 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture) cert = load_pem_cert(fixture.certs_dir, fixture.certificate_file); if (cert == NULL) { - test_failed = 1; fprintf(stderr, "Unable to load certificate: %s\n", fixture.certificate_file); goto end; @@ -311,7 +309,6 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture) issuer = load_pem_cert(fixture.certs_dir, fixture.issuer_file); if (issuer == NULL) { - test_failed = 1; fprintf(stderr, "Unable to load issuer certificate: %s\n", fixture.issuer_file); goto end; @@ -325,16 +322,14 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture) sct_extension = X509_get_ext(cert, sct_extension_index); if (fixture.expected_sct_count > 0) { if (sct_extension == NULL) { - test_failed = 1; fprintf(stderr, "SCT extension not found in: %s\n", fixture.certificate_file); goto end; } - if (fixture.sct_text_file) { - test_failed = compare_extension_printout(sct_extension, - expected_sct_text); - if (test_failed != 0) + if (fixture.sct_text_file + && compare_extension_printout(sct_extension, + expected_sct_text)) { goto end; } @@ -349,7 +344,6 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture) if (!SCT_set_source(sct_i, SCT_SOURCE_X509V3_EXTENSION)) { fprintf(stderr, "Error setting SCT source to X509v3 extension\n"); - test_failed = 1; goto end; } } @@ -357,7 +351,7 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture) are_scts_validated = SCT_LIST_validate(scts, ct_policy_ctx); if (are_scts_validated < 0) { fprintf(stderr, "Error verifying SCTs\n"); - test_failed = 1; + goto end; } else if (!are_scts_validated) { int invalid_sct_count = 0; int valid_sct_count = 0; @@ -390,14 +384,10 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture) fixture.expected_sct_count, unverified_sct_count); } - test_failed = 1; - } - - if (test_failed != 0) goto end; + } } } else if (sct_extension != NULL) { - test_failed = 1; fprintf(stderr, "Expected no SCTs, but found SCT extension in: %s\n", fixture.certificate_file); @@ -408,21 +398,18 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture) if (fixture.tls_sct != NULL) { const unsigned char *p = fixture.tls_sct; if (o2i_SCT(&sct, &p, fixture.tls_sct_len) == NULL) { - test_failed = 1; fprintf(stderr, "Failed to decode SCT from TLS format\n"); goto end; } - if (fixture.sct_text_file) { - test_failed = compare_sct_printout(sct, expected_sct_text); - if (test_failed != 0) + if (fixture.sct_text_file + && compare_sct_printout(sct, expected_sct_text)) { goto end; } tls_sct_len = i2o_SCT(sct, &tls_sct); if (tls_sct_len != fixture.tls_sct_len || memcmp(fixture.tls_sct, tls_sct, tls_sct_len) != 0) { - test_failed = 1; fprintf(stderr, "Failed to encode SCT into TLS format correctly\n"); goto end; } @@ -430,16 +417,15 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture) if (fixture.test_validity && cert != NULL) { int is_sct_validated = SCT_validate(sct, ct_policy_ctx); if (is_sct_validated < 0) { - test_failed = 1; fprintf(stderr, "Error validating SCT\n"); goto end; } else if (!is_sct_validated) { - test_failed = 1; fprintf(stderr, "SCT failed verification\n"); goto end; } } } + success = 1; end: X509_free(cert); @@ -448,7 +434,7 @@ end: SCT_free(sct); CT_POLICY_EVAL_CTX_free(ct_policy_ctx); OPENSSL_free(tls_sct); - return test_failed; + return success; } #define SETUP_CT_TEST_FIXTURE() SETUP_TEST_FIXTURE(CT_TEST_FIXTURE, set_up) diff --git a/test/d2i_test.c b/test/d2i_test.c index cf01012..6ffdf55 100644 --- a/test/d2i_test.c +++ b/test/d2i_test.c @@ -40,13 +40,13 @@ static int execute_test(D2I_TEST_FIXTURE fixture) { BIO *bio = NULL; ASN1_VALUE *value = NULL; - int ret = 1; + int ret = 0; unsigned char buf[2048]; const unsigned char *buf_ptr = buf; int len; if ((bio = BIO_new_file(test_file, "r")) == NULL) - return 1; + return 0; /* * We don't use ASN1_item_d2i_bio because it, apparently, @@ -60,7 +60,7 @@ static int execute_test(D2I_TEST_FIXTURE fixture) if (value != NULL) goto err; - ret = 0; + ret = 1; err: BIO_free(bio); diff --git a/test/ssl_test.c b/test/ssl_test.c index 01ce5d5..499afd5 100644 --- a/test/ssl_test.c +++ b/test/ssl_test.c @@ -140,8 +140,7 @@ static int check_test(HANDSHAKE_RESULT result, SSL_TEST_CTX *test_ctx) static int execute_test(SSL_TEST_FIXTURE fixture) { - /* TODO(emilia): this is confusing. Flip to return 1 on success. */ - int ret = 1; + int ret = 0; SSL_CTX *server_ctx = NULL, *client_ctx = NULL; SSL_TEST_CTX *test_ctx = NULL; HANDSHAKE_RESULT result; @@ -163,15 +162,14 @@ static int execute_test(SSL_TEST_FIXTURE fixture) result = do_handshake(server_ctx, client_ctx); - if (check_test(result, test_ctx)) - ret = 0; + ret = check_test(result, test_ctx); err: CONF_modules_unload(0); SSL_CTX_free(server_ctx); SSL_CTX_free(client_ctx); SSL_TEST_CTX_free(test_ctx); - if (ret != 0) + if (ret != 1) ERR_print_errors_fp(stderr); return ret; } diff --git a/test/ssl_test_ctx_test.c b/test/ssl_test_ctx_test.c index d933f2b..3c6fa71 100644 --- a/test/ssl_test_ctx_test.c +++ b/test/ssl_test_ctx_test.c @@ -74,7 +74,7 @@ static SSL_TEST_CTX_TEST_FIXTURE set_up(const char *const test_case_name) static int execute_test(SSL_TEST_CTX_TEST_FIXTURE fixture) { - int ret = 1; + int success = 0; SSL_TEST_CTX *ctx = SSL_TEST_CTX_create(conf, fixture.test_section); @@ -87,10 +87,10 @@ static int execute_test(SSL_TEST_CTX_TEST_FIXTURE fixture) if (!SSL_TEST_CTX_equal(ctx, fixture.expected_ctx)) goto err; - ret = 0; + success = 1; err: SSL_TEST_CTX_free(ctx); - return ret; + return success; } static int execute_failure_test(SSL_TEST_CTX_TEST_FIXTURE fixture) @@ -101,10 +101,10 @@ static int execute_failure_test(SSL_TEST_CTX_TEST_FIXTURE fixture) fprintf(stderr, "Parsing bad configuration %s succeeded.\n", fixture.test_section); SSL_TEST_CTX_free(ctx); - return 1; + return 0; } - return 0; + return 1; } static void tear_down(SSL_TEST_CTX_TEST_FIXTURE fixture) diff --git a/test/testutil.c b/test/testutil.c index ccb6248..3f63784 100644 --- a/test/testutil.c +++ b/test/testutil.c @@ -113,14 +113,14 @@ int run_tests(const char *test_prog_name) for (i = 0; i != num_tests; ++i) { if (all_tests[i].num == -1) { - if (all_tests[i].test_fn()) { + if (!all_tests[i].test_fn()) { printf("** %s failed **\n--------\n", all_tests[i].test_case_name); ++num_failed; } } else { for (j = 0; j < all_tests[i].num; j++) { - if (all_tests[i].param_test_fn(j)) { + if (!all_tests[i].param_test_fn(j)) { printf("** %s failed test %d\n--------\n", all_tests[i].test_case_name, j); ++num_failed; diff --git a/test/testutil.h b/test/testutil.h index ba54ac1..2ae3d7d 100644 --- a/test/testutil.h +++ b/test/testutil.h @@ -68,7 +68,7 @@ * * EXECUTE_TEST will pass fixture to execute_func() by value, call * tear_down(), and return the result of execute_func(). execute_func() should - * take a TEST_FIXTURE_TYPE by value and return zero on success or one on + * take a TEST_FIXTURE_TYPE by value and return 1 on success and 0 on * failure. * * Unit tests can define their own SETUP_TEST_FIXTURE and EXECUTE_TEST @@ -94,7 +94,7 @@ int result = 0 # define EXECUTE_TEST(execute_func, tear_down)\ - if (execute_func(fixture) != 0) result = 1;\ + result = execute_func(fixture);\ tear_down(fixture);\ return result From emilia at openssl.org Tue Apr 5 15:07:57 2016 From: emilia at openssl.org (Emilia Kasper) Date: Tue, 05 Apr 2016 15:07:57 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1459868877.466579.13487.nullmailer@dev.openssl.org> The branch master has been updated via 69853045e1154236d440eba363a001033f5e3781 (commit) from ababe86b9674dca24ffb6b342fe7af852cf53466 (commit) - Log ----------------------------------------------------------------- commit 69853045e1154236d440eba363a001033f5e3781 Author: Emilia Kasper Date: Tue Apr 5 14:04:05 2016 +0200 Rename ssltest -> ssltest_old ssltest_old.c is deprecated. New tests should use ssl_test.c, and the recipes in 80-test_ssl_new.t Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: test/Makefile.in | 24 +++++++++++------------ test/build.info | 8 ++++---- test/recipes/{80-test_ssl.t => 80-test_ssl_old.t} | 20 +++++++++---------- test/{ssltest.c => ssltest_old.c} | 0 4 files changed, 26 insertions(+), 26 deletions(-) rename test/recipes/{80-test_ssl.t => 80-test_ssl_old.t} (98%) rename test/{ssltest.c => ssltest_old.c} (100%) diff --git a/test/Makefile.in b/test/Makefile.in index aadf2c7..cefcd72 100644 --- a/test/Makefile.in +++ b/test/Makefile.in @@ -59,7 +59,7 @@ DESTEST= destest RANDTEST= randtest DHTEST= dhtest DSATEST= dsatest -SSLTEST= ssltest +SSLTESTOLD= ssltest_old DANETEST= danetest RSATEST= rsa_test ENGINETEST= enginetest @@ -86,7 +86,7 @@ THREADSTEST= threadstest AFALGTEST= afalgtest D2ITEST = d2i_test SSLTESTCTXTEST = ssl_test_ctx_test -NEWSSLTEST = ssl_test +SSLTEST = ssl_test TESTS= alltests @@ -100,7 +100,7 @@ EXE= $(NPTEST)$(EXE_EXT) $(MEMLEAKTEST)$(EXE_EXT) \ $(MDC2TEST)$(EXE_EXT) $(RMDTEST)$(EXE_EXT) \ $(RANDTEST)$(EXE_EXT) $(DHTEST)$(EXE_EXT) $(ENGINETEST)$(EXE_EXT) \ $(DANETEST)$(EXE_EXT) \ - $(BFTEST)$(EXE_EXT) $(CASTTEST)$(EXE_EXT) $(SSLTEST)$(EXE_EXT) \ + $(BFTEST)$(EXE_EXT) $(CASTTEST)$(EXE_EXT) $(SSLTESTOLD)$(EXE_EXT) \ $(EXPTEST)$(EXE_EXT) $(DSATEST)$(EXE_EXT) $(RSATEST)$(EXE_EXT) \ $(EVPTEST)$(EXE_EXT) $(EVPEXTRATEST)$(EXE_EXT) $(IGETEST)$(EXE_EXT) \ $(SECMEMTEST)$(EXE_EXT) \ @@ -110,7 +110,7 @@ EXE= $(NPTEST)$(EXE_EXT) $(MEMLEAKTEST)$(EXE_EXT) \ $(CLIENTHELLOTEST)$(EXE_EXT) $(PACKETTEST)$(EXE_EXT) $(ASYNCTEST)$(EXE_EXT) \ $(DTLSV1LISTENTEST)$(EXE_EXT) $(CTTEST)$(EXE_EXT) $(THREADSTEST)$(EXE_EXT) \ $(AFALGTEST)$(EXE_EXT) $(D2ITEST)$(EXE_EXT) $(SSLTESTCTXTEST)$(EXE_EXT) \ - $(NEWSSLTEST)$(EXE_EXT) + $(SSLTEST)$(EXE_EXT) # $(METHTEST)$(EXE_EXT) @@ -123,13 +123,13 @@ OBJ= $(NPTEST).o $(MEMLEAKTEST).o \ $(DESTEST).o $(SHA1TEST).o $(SHA256TEST).o $(SHA512TEST).o \ $(MDC2TEST).o $(RMDTEST).o $(DANETEST).o \ $(RANDTEST).o $(DHTEST).o $(ENGINETEST).o $(CASTTEST).o \ - $(BFTEST).o $(SSLTEST).o $(DSATEST).o $(EXPTEST).o $(RSATEST).o \ + $(BFTEST).o $(SSLTESTOLD).o $(DSATEST).o $(EXPTEST).o $(RSATEST).o \ $(EVPTEST).o $(EVPEXTRATEST).o $(IGETEST).o $(V3NAMETEST).o \ $(HEARTBEATTEST).o $(P5_CRPT2_TEST).o \ $(CONSTTIMETEST).o $(VERIFYEXTRATEST).o $(CLIENTHELLOTEST).o \ $(PACKETTEST).o $(ASYNCTEST).o $(DTLSV1LISTENTEST).o $(CTTEST).o \ $(THREADSTEST).o testutil.o $(AFALGTEST).o $(D2ITEST).o ssl_test_ctx.o \ - $(SSLTESTCTXTEST).o $(NEWSSLTEST).o handshake_helper.o + $(SSLTESTCTXTEST).o $(SSLTEST).o handshake_helper.o SRC= $(NPTEST).c $(MEMLEAKTEST).c \ $(BNTEST).c $(ECTEST).c \ @@ -139,13 +139,13 @@ SRC= $(NPTEST).c $(MEMLEAKTEST).c \ $(RC2TEST).c $(RC4TEST).c $(RC5TEST).c $(DANETEST).c \ $(DESTEST).c $(SHA1TEST).c $(MDC2TEST).c $(RMDTEST).c \ $(RANDTEST).c $(DHTEST).c $(ENGINETEST).c $(CASTTEST).c \ - $(BFTEST).c $(SSLTEST).c $(DSATEST).c $(EXPTEST).c $(RSATEST).c \ + $(BFTEST).c $(SSLTESTOLD).c $(DSATEST).c $(EXPTEST).c $(RSATEST).c \ $(EVPTEST).c $(EVPEXTRATEST).c $(IGETEST).c $(V3NAMETEST).c \ $(HEARTBEATTEST).c $(P5_CRPT2_TEST).c \ $(CONSTTIMETEST).c $(VERIFYEXTRATEST).c $(CLIENTHELLOTEST).c \ $(PACKETTEST).c $(ASYNCTEST).c $(DTLSV1LISTENTEST).c $(CTTEST).c \ $(THREADSTEST).c testutil.c $(AFALGTEST).c $(D2ITEST).c ssl_test_ctx.c \ - $(SSLTESTCTXTEST).c $(NEWSSLTEST).c handshake_helper.c + $(SSLTESTCTXTEST).c $(SSLTEST).c handshake_helper.c HEADER= testutil.h ssl_test_ctx.h handshake_helper.h @@ -322,8 +322,8 @@ $(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO) $(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO) @target=$(METHTEST); $(BUILD_CMD) -$(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO) - @target=$(SSLTEST); $(BUILD_CMD) +$(SSLTESTOLD)$(EXE_EXT): $(SSLTESTOLD).o $(DLIBSSL) $(DLIBCRYPTO) + @target=$(SSLTESTOLD); $(BUILD_CMD) $(DANETEST)$(EXE_EXT): $(DANETEST).o $(DLIBSSL) $(DLIBCRYPTO) @target=$(DANETEST); $(BUILD_CMD) @@ -402,9 +402,9 @@ $(SSLTESTCTXTEST)$(EXE_EXT): $(SSLTESTCTXTEST).o testutil.o ssl_test_ctx.o \ @target=$(SSLTESTCTXTEST) testutil="testutil.o ssl_test_ctx.o"; \ $(BUILD_CMD) -$(NEWSSLTEST)$(EXE_EXT): $(NEWSSLTEST).o testutil.o ssl_test_ctx.o \ +$(SSLTEST)$(EXE_EXT): $(SSLTEST).o testutil.o ssl_test_ctx.o \ handshake_helper.o $(DLIBSSL) $(DLIBCRYPTO) - @target=$(NEWSSLTEST) testutil="testutil.o ssl_test_ctx.o \ + @target=$(SSLTEST) testutil="testutil.o ssl_test_ctx.o \ handshake_helper.o"; $(BUILD_CMD) # DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/test/build.info b/test/build.info index 2bbf1ba..3dcddb6 100644 --- a/test/build.info +++ b/test/build.info @@ -9,7 +9,7 @@ PROGRAMS=\ destest sha1test sha256t sha512t \ mdc2test rmdtest \ randtest dhtest enginetest casttest \ - bftest ssltest dsatest exptest rsa_test \ + bftest ssltest_old dsatest exptest rsa_test \ evp_test evp_extra_test igetest v3nametest \ danetest heartbeat_test p5_crpt2_test \ constant_time_test verify_extra_test clienthellotest \ @@ -129,9 +129,9 @@ SOURCE[bftest]=bftest.c INCLUDE[bftest]={- rel2abs(catdir($builddir,"../include")) -} ../include DEPEND[bftest]=../libcrypto -SOURCE[ssltest]=ssltest.c -INCLUDE[ssltest]={- rel2abs(catdir($builddir,"../include")) -} .. ../include -DEPEND[ssltest]=../libcrypto ../libssl +SOURCE[ssltest_old]=ssltest_old.c +INCLUDE[ssltest_old]={- rel2abs(catdir($builddir,"../include")) -} .. ../include +DEPEND[ssltest_old]=../libcrypto ../libssl SOURCE[dsatest]=dsatest.c INCLUDE[dsatest]={- rel2abs(catdir($builddir,"../include")) -} ../include diff --git a/test/recipes/80-test_ssl.t b/test/recipes/80-test_ssl_old.t similarity index 98% rename from test/recipes/80-test_ssl.t rename to test/recipes/80-test_ssl_old.t index 8cb33a1..855e7c6 100644 --- a/test/recipes/80-test_ssl.t +++ b/test/recipes/80-test_ssl_old.t @@ -66,12 +66,12 @@ my $P2intermediate="tmp_intP2.ss"; my $server_sess="server.ss"; my $client_sess="client.ss"; -# ssltest.c is deprecated in favour of the new framework in ssl_test.c +# ssltest_old.c is deprecated in favour of the new framework in ssl_test.c # If you're adding tests here, you probably want to convert them to the # new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead. plan tests => 1 # For testss - + 1 # For ssltest -test_cipherlist + + 1 # For ssltest_old -test_cipherlist + 14 # For the first testssl + 16 # For the first testsslproxy + 16 # For the second testsslproxy @@ -89,10 +89,10 @@ subtest 'test_ss' => sub { } }; -my $check = ok(run(test(["ssltest","-test_cipherlist"])), "running ssltest"); +my $check = ok(run(test(["ssltest_old","-test_cipherlist"])), "running ssltest_old"); SKIP: { - skip "ssltest ended with error, skipping the rest", 3 + skip "ssltest_old ended with error, skipping the rest", 3 if !$check; note('test_ssl -- key U'); @@ -320,7 +320,7 @@ sub testssl { my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs")); my @extra = @_; - my @ssltest = ("ssltest", + my @ssltest = ("ssltest_old", "-s_key", $key, "-s_cert", $cert, "-c_key", $key, "-c_cert", $cert); @@ -445,7 +445,7 @@ sub testssl { ok(run(test([@ssltest, "-ipv4", @extra])), 'test TLS via IPv4'); } - + SKIP: { skip "No IPv6 available on this machine", 1 unless !disabled("sock") && have_IPv6(); @@ -536,13 +536,13 @@ sub testssl { skip "skipping RSA tests", 2 if $no_rsa; - ok(run(test(["ssltest", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time", @extra])), + ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time", @extra])), 'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes'); skip "skipping RSA+DHE tests", 1 if $no_dh; - ok(run(test(["ssltest", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])), + ok(run(test(["ssltest_old", "-v", "-bio_pair", "-tls1", "-s_cert", srctop_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])), 'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes'); } @@ -834,7 +834,7 @@ sub testsslproxy { my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", bldtop_dir("certs")); my @extra = @_; - my @ssltest = ("ssltest", + my @ssltest = ("ssltest_old", "-s_key", $key, "-s_cert", $cert, "-c_key", $key, "-c_cert", $cert); @@ -848,7 +848,7 @@ sub testsslproxy { # letters get combined into just "B". # The policy letter(s) then get filtered with the given auth letter # in the table below, and the result gets tested with the given - # condition. For details, read ssltest.c + # condition. For details, read ssltest_old.c # # certfilename => [ [ auth, cond, expected result ] ... ] my %expected = ( "certP1.ss" => [ [ [ 'A', 'A' ], 1 ], diff --git a/test/ssltest.c b/test/ssltest_old.c similarity index 100% rename from test/ssltest.c rename to test/ssltest_old.c From no-reply at appveyor.com Tue Apr 5 15:19:15 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 15:19:15 +0000 Subject: [openssl-commits] Build failed: openssl master.2570 Message-ID: <20160405151914.7805.93111.AC980C14@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Apr 5 16:16:44 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 16:16:44 +0000 Subject: [openssl-commits] Build failed: openssl master.2571 Message-ID: <20160405161603.94572.652.0964DD23@appveyor.com> An HTML attachment was scrubbed... URL: From builds at travis-ci.org Tue Apr 5 16:49:42 2016 From: builds at travis-ci.org (Travis CI) Date: Tue, 05 Apr 2016 16:49:42 +0000 Subject: [openssl-commits] Passed: openssl/openssl#3258 (master - ababe86) In-Reply-To: Message-ID: <5703eca6193c0_33fb2e84c1ca81003151@77656252-b11c-4d9b-aab2-8f2a58be9791.mail> Build Update for openssl/openssl ------------------------------------- Build: #3258 Status: Passed Duration: 28 minutes and 48 seconds Commit: ababe86 (master) Author: Emilia Kasper Message: testutil: return 1 on success Require that test methods return 1 on success (not 0). This is more customary for OpenSSL. Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/6e863f07376e...ababe86b9674 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120913611 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From builds at travis-ci.org Tue Apr 5 17:12:38 2016 From: builds at travis-ci.org (Travis CI) Date: Tue, 05 Apr 2016 17:12:38 +0000 Subject: [openssl-commits] Passed: openssl/openssl#3259 (master - 6985304) In-Reply-To: Message-ID: <5703f2066cb4b_33fa40d435e7c6694dc@b304e791-25ca-4b3e-9dc9-df3fb10d1118.mail> Build Update for openssl/openssl ------------------------------------- Build: #3259 Status: Passed Duration: 28 minutes and 7 seconds Commit: 6985304 (master) Author: Emilia Kasper Message: Rename ssltest -> ssltest_old ssltest_old.c is deprecated. New tests should use ssl_test.c, and the recipes in 80-test_ssl_new.t Reviewed-by: Richard Levitte View the changeset: https://github.com/openssl/openssl/compare/ababe86b9674...69853045e115 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/120914084 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications -------------- next part -------------- An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Apr 5 17:15:25 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 17:15:25 +0000 Subject: [openssl-commits] Build failed: openssl master.2572 Message-ID: <20160405171524.9966.8625.AEFABF09@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Apr 5 18:10:30 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 18:10:30 +0000 Subject: [openssl-commits] Build failed: openssl master.2573 Message-ID: <20160405181029.9966.34300.E8171667@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Apr 5 19:03:25 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 19:03:25 +0000 Subject: [openssl-commits] Build failed: openssl master.2574 Message-ID: <20160405190325.9973.78804.7E093F5A@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Apr 5 20:02:33 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 20:02:33 +0000 Subject: [openssl-commits] Build failed: openssl master.2575 Message-ID: <20160405200224.62151.52875.8AA89D4F@appveyor.com> An HTML attachment was scrubbed... URL: From no-reply at appveyor.com Tue Apr 5 20:59:53 2016 From: no-reply at appveyor.com (AppVeyor) Date: Tue, 05 Apr 2016 20:59:53 +0000 Subject: [openssl-commits] Build failed: openssl master.2576 Message-ID: <20160405205940.49905.87860.8ABB6A80@appveyor.com> An HTML attachment was scrubbed... URL: From rsalz at openssl.org Tue Apr 5 21:31:28 2016 From: rsalz at openssl.org (Rich Salz) Date: Tue, 05 Apr 2016 21:31:28 +0000 Subject: [openssl-commits] [web] master update Message-ID: <1459891888.208885.26908.nullmailer@dev.openssl.org> The branch master has been updated via a536b7e80435559431c7921aec1b1128d2dc27bf (commit) from 44d0a4ddea2188656c4dc4dc993b9bd5a916b223 (commit) - Log ----------------------------------------------------------------- commit a536b7e80435559431c7921aec1b1128d2dc27bf Author: Rich Salz Date: Tue Apr 5 17:24:26 2016 -0400 Add CII best practices reference ----------------------------------------------------------------------- Summary of changes: policies/index.html | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/policies/index.html b/policies/index.html index 811aea2..1093f58 100644 --- a/policies/index.html +++ b/policies/index.html @@ -38,13 +38,23 @@ The Roadmap describes our overall goals and plans for OpenSSL. It is a living document and is expected to change over time. Objectives and dates should be - considered aspirational.

+ considered aspirational. +

If you want to contribute code or fixes to the project, please read the Coding Style page. For legal obligations of contributors, see the page on Contributor Agreements. - +

+ We are pleased to mention that + + we follow + the + + best practices + of the Core Infrastructure Initiative. +