Branch: Tag:

2019-06-05

2019-06-05 12:33:08 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Test ECDHE with all supported curves.

2019-05-04

2019-05-04 09:12:19 by Arne Goedeke <el@laramies.com>

Merge remote-tracking branch 'origin/master' into new_utf8

2019-04-11

2019-04-11 16:04:44 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Protect lots of lfuns.

2019-03-19

2019-03-19 12:33:55 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Merge commit '722771973bd' into patches/lyslyskom22891031

* commit '722771973bd': (6177 commits)
Verify that callablep responses are aligned with reality.
...

2019-03-14

2019-03-14 10:39:03 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Merge commit '2470270f500c728d10b8895314d8d8b07016e37b' into grubba/typechecker-automap

* commit '2470270f500c728d10b8895314d8d8b07016e37b': (18681 commits)
Removed the old typechecker.
...

2018-11-03

2018-11-03 14:21:37 by Marcus Comstedt <marcus@mc.pp.se>

Merge remote-tracking branch 'origin/8.1' into gobject-introspection

2018-04-04

2018-04-04 22:44:15 by Martin Nilsson <nilsson@fastmail.com>

Fix leaked testsuite constant.

2018-02-15

2018-02-15 15:54:26 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Merge commit '75c9d1806f1a69ca21c27a2c2fe1b4a6ea38e77e' into patches/pike63

* commit '75c9d1806f1a69ca21c27a2c2fe1b4a6ea38e77e': (19587 commits)
...

2017-11-21

2017-11-21 09:08:09 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.File: Added support for set_buffer_mode().

Adds support for user provided buffers in both directions.

Updates the {read,write,close}_callbacks to the current conventions of
Stdio.File (this includes defaulting the callback_id to this_object()).

Also adds some corresponding tests to the testsuite.

2016-11-12

2016-11-12 00:03:19 by Martin Nilsson <nilsson@fastmail.com>

Fix SECP224R1 certificate test.

2016-11-11

2016-11-11 23:39:46 by Martin Nilsson <nilsson@fastmail.com>

Fix issues with missing ECC curves.

2016-10-19

2016-10-19 21:40:14 by Martin Nilsson <nilsson@fastmail.com>

Testsuite fixes.

2016-07-16

2016-07-16 08:42:37 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Test both session-id and ticket resumption.

2016-05-21

2016-05-21 17:33:08 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.File: Added support for set_buffer_mode().

Adds support for user provided buffers in both directions.

Updates the {read,write,close}_callbacks to the current conventions of
Stdio.File (this includes defaulting the callback_id to this_object()).

Also adds some corresponding tests to the testsuite.

2016-04-14

2016-04-14 21:56:19 by Martin Nilsson <nilsson@fastmail.com>

Null ciphers are still allowed, just not SSL_null_with_null_null.

2016-02-25

2016-02-25 10:57:54 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: All suites aren't always available...

Fixes testsuite failures on platforms with old versions of Nettle
(eg without gcm) or with castrated versions of Nettle (eg the
Solaris 11 bundled version of Nettle 3.1.1 which is without hogweed).

2016-01-17

2016-01-17 00:42:52 by Martin Nilsson <nilsson@fastmail.com>

Client certificates are handled the same for all versions of SSL/TLS until 1.3.

2015-12-19

2015-12-19 17:24:36 by Martin Nilsson <nilsson@fastmail.com>

Test AUTHLEVEL_verify as well.

2015-12-19 17:20:52 by Martin Nilsson <nilsson@fastmail.com>

No need to iterate over all versions of TLS for every AUTH and failure mode of certificates.

2015-12-18

2015-12-18 13:53:07 by Martin Nilsson <nilsson@fastmail.com>

Selfsigned certificates are not enough at AUTHLEVEL_require.

2015-12-04

2015-12-04 11:14:49 by Martin Nilsson <nilsson@fastmail.com>

Improved documentation.

2015-12-01

2015-12-01 08:55:12 by Martin Nilsson <nilsson@fastmail.com>

Stop supporting compression by default.

2015-11-15

2015-11-15 21:38:21 by Martin Nilsson <nilsson@fastmail.com>

Using imports to shorten the code.

2015-11-15 21:21:12 by Martin Nilsson <nilsson@fastmail.com>

Use ifefun where possible and needed.

2015-11-15 19:26:37 by Martin Nilsson <nilsson@fastmail.com>

The (threaded_)test_ssl_connection can now determine expected version correctly for suites with more than one entry.

2015-11-15 19:26:37 by Martin Nilsson <nilsson@fastmail.com>

Fixed the cond for thread_create.

2015-11-15 19:26:37 by Martin Nilsson <nilsson@fastmail.com>

Added MTI tests.

2015-11-15 16:28:37 by Martin Nilsson <nilsson@fastmail.com>

More comments.

2015-11-15 02:35:19 by Martin Nilsson <nilsson@fastmail.com>

Split the big cipher/protocol test loop into multiple tests, as it has a tendency to regress to too combinatory explosion. Test protocol version range compatibility with null_with_null_null (for now at least), then test all ciphers once per protocol (which arguably could be optimized into a KE part and cipher part), removed never-working ffdhe tests and moved test of threaded use to a single test with one cipher. Forked testing still disabled, as the messaging bug isn't solved (or looked at from what I know).

2015-11-15 00:34:57 by Martin Nilsson <nilsson@fastmail.com>

Trim status message a little.

2015-11-01

2015-11-01 17:56:56 by Martin Nilsson <nilsson@fastmail.com>

Rename HASH_sha to HASH_sha1.

2015-11-01 17:44:19 by Martin Nilsson <nilsson@fastmail.com>

NSA IA now only recommends AES-256, P-384, SHA-384, 3072+ bit DH, 3072+ bit RSA

2015-10-26

2015-10-26 11:16:45 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Protocol version handling cleanup.

The protocol version is now represented the same way everywhere;
a 16-bit integer with the major (ie 3) in the high 8 bits, and
the minor in the low 8 bits.

Previously there was a mix between having a two element array,
and just keeping track of the minor.

Also strengthens the types of version variables in a few places.

2015-10-22

2015-10-22 13:04:44 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Don't attempt AEAD algorithms before TLS 1.2.

TLS 1.1 and earlier does not support AEAD algorithms,
so don't attempt to use them in that case.

2015-10-20

2015-10-20 13:03:13 by Martin Nilsson <nilsson@opera.com>

SSL: Some support dhe_dss_mode().

Currently disabled as Tools.X509.decode_certificate() doesn't
support DSA certificates.

2015-10-20 12:33:12 by Martin Nilsson <nilsson@opera.com>

Cut test time by 90% by only testing each cipher for each negotiated SSL/TLS version.

2015-10-20 12:31:52 by Martin Nilsson <nilsson@opera.com>

Moving cond_end and reindent.

2015-10-20 12:30:23 by Martin Nilsson <nilsson@opera.com>

Testsuite [SSL]: Use SSL.Context()->get_suites().

2015-10-20 09:54:16 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Cipher: Added a few more DES-40 cipher suites.

2015-10-19

2015-10-19 15:38:15 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Don't attempt to use obsolete suites with recent TLS.

2015-10-19 15:38:14 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Update testsuite to test TLS 1.2.

2015-10-16

2015-10-16 09:48:14 by Per Hedbor <ph@opera.com>

Close the client and server connections in the SSL test

We were running out of FD:s on OSX, where the default max is 256

2015-10-16 09:45:50 by Martin Nilsson <nilsson@opera.com>

Testsuite [SSL]: Use less random random to speed things up.

2015-10-15

2015-10-15 14:43:55 by Martin Nilsson <nilsson@opera.com>

Use cond_begin/cond_end instead of cond_resolv, since it breaks with larger input.

2015-10-15 14:43:47 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Test all supported cipher suites.

This currently breaks the testsuite, since the client
code for the ciphers rc4_40 and null seem to be broken.

2015-10-14

2015-10-14 15:28:57 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Moved cond to proper place in the testsuite.

2015-10-14 15:28:20 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Added tests that client and server are compatible.

2015-09-18

2015-09-18 14:56:49 by Martin Nilsson <nilsson@fastmail.com>

Disable chacha20-poly1305 until we managed to interoperate with another implementation.

2015-09-11

2015-09-11 21:21:17 by Martin Nilsson <nilsson@fastmail.com>

Fixed testsuite.

2015-09-06

2015-09-06 19:43:42 by Martin Nilsson <nilsson@fastmail.com>

Cosmetic update of strerror use.

2015-09-01

2015-09-01 11:53:57 by Per Hedbor <ph@opera.com>

Merge branch '8.1' into per/substrings

2015-08-31

2015-08-31 02:19:40 by Martin Nilsson <nilsson@fastmail.com>

Running SSL tests in parallel is currently broken.

2015-08-07

2015-08-07 21:20:00 by Per Hedbor <ph@opera.com>

Run SSL client/server tests in parallel.

2015-07-30

2015-07-30 10:10:43 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Potential fix for intermittent failures.

SSL.Context()->get_suites() depends on {min,max}_version. If an earlier
test failed with server_ctx->max_version < PROTOCOL_TLS_1_2, this would
cause the later ECC tests to fail due to the new server_ctx lacking AEAD
suites. The new server_ctx should now contain the full set of suites.

2015-05-17

2015-05-17 14:42:07 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL [testsuite]: Keep the watchdog alert.

The SSL version interop test can take quite a while on some older
machines, so make sure that the watchdog doesn't kill us.

2015-04-13

2015-04-13 15:35:49 by Martin Nilsson <nilsson@opera.com>

Fix flakyness.

2015-04-13 12:33:27 by Martin Nilsson <nilsson@opera.com>

Send copy of current read_buffer to the alert callback.

2015-04-13 08:43:17 by Martin Nilsson <nilsson@opera.com>

Potentially more correct.

2015-04-09

2015-04-09 16:42:57 by Martin Nilsson <nilsson@opera.com>

ECDHE PSK doesn't require certificates.

2015-04-05

2015-04-05 22:27:35 by Martin Nilsson <nilsson@opera.com>

Added the final defined PSK suites, ECDHE. The suite lookup table test broke as always, but all the defined ciphers appears to work.

2015-03-31

2015-03-31 03:41:36 by Martin Nilsson <nilsson@opera.com>

Optimize export crypto a bit for the testsuite.

2015-03-23

2015-03-23 23:36:04 by Martin Nilsson <nilsson@opera.com>

No one is seriously using export ciphers, so stop optimizing them and throw out some code. (My desktop is doing 710 keys per second)

2015-03-09

2015-03-09 13:32:58 by Martin Nilsson <nilsson@opera.com>

Don't use RC4 by default.

2015-03-07

2015-03-07 13:42:51 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Context: Added support for private FFDHE-groups.

2015-03-04

2015-03-04 19:57:31 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Cipher: Added KeyExchangeExportRSA.

This breaks out the handling of export-RSA from KeyExchangeRSA in
order to reduce the attack surface for attacks like FREAK.

2015-03-04 19:56:20 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Removed special case in table verifier.

2015-03-01

2015-03-01 11:55:21 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Fixed some erroneous failures.

2015-03-01 11:54:38 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Fixed some erroneous failures.

2015-02-28

2015-02-28 12:58:20 by Arne Goedeke <el@laramies.com>

Testsuite: added test for SSL.File()->is_open() in blocking mode

It never returns.

2015-02-28 10:02:58 by Arne Goedeke <el@laramies.com>

Testsuite: added test for SSL.File()->is_open() in blocking mode

It never returns.

2015-02-23

2015-02-23 16:50:52 by Martin Nilsson <nilsson@opera.com>

Null ciphers are still allowed in TLS 1.1, it's just null_with_null_null that is forbidden.

2015-02-23 15:37:29 by Martin Nilsson <nilsson@opera.com>

RSA PSK now works.

2015-02-23 13:54:12 by Martin Nilsson <nilsson@opera.com>

Test case for PSK and DHE PSK against server with RSA certificate.

2015-02-19

2015-02-19 16:27:01 by Martin Nilsson <nilsson@opera.com>

Ops.

2015-02-19 16:17:17 by Martin Nilsson <nilsson@opera.com>

Added support for DHE PSK.

2015-02-19 15:29:27 by Martin Nilsson <nilsson@opera.com>

Return appropriate alert if key id or hint was not recognized.

2015-02-19 14:53:32 by Martin Nilsson <nilsson@opera.com>

Testcases for PSK.

2015-01-27

2015-01-27 15:05:16 by Martin Nilsson <nilsson@opera.com>

Default to secp192r1 instead of escp521r1 to save computations. All curves are tested in the specific curve test.

2015-01-22

2015-01-22 16:21:44 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Use SSL.File instead of SSL.sslfile.

Also improved error handling on running out of fds.

2015-01-21

2015-01-21 16:10:22 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Fixed the client certificate tests.

2015-01-19

2015-01-19 13:32:40 by Martin Nilsson <nilsson@opera.com>

Deprecated verify_certificates, as auth_level does the same thing. This breaks some tests that appears to be incomplete, so disable them.

2015-01-04

2015-01-04 16:51:19 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Parameterized the client certificate test.

Also adds progress indicator to the client certificate test.

2015-01-04 00:01:00 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Parameterized the client/server combination test.

Replaced the list of client/server tests (100 tests) with a single
test_tests(), as the number of tests increases as O(n^4) (with
TLS 1.3 the list would grow to 225, and then to 441).

2015-01-03

2015-01-03 16:59:40 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Use fmt_version() in progress indicator.

2015-01-01

2015-01-01 12:40:33 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: More cipher suites obsoleted in TLS 1.3.

TLS 1.3 only has support for ephemeral key exchanges.

2014-12-25

2014-12-25 00:06:25 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Test client certificates for all versions of SSL/TLS.

2014-12-25 00:06:23 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Improved robustness of test_ssl_connection().

test_ssl_connnection() now survives getting multiple suites where
the first argument is an unsupported suite. This previously led
to getting complaints about not getting the expected suite.

2014-12-25 00:04:59 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Test client certificates for all versions of SSL/TLS.

2014-12-24

2014-12-24 09:00:39 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Improved robustness of test_ssl_connection().

test_ssl_connnection() now survives getting multiple suites where
the first argument is an unsupported suite. This previously led
to getting complaints about not getting the expected suite.

2014-12-22

2014-12-22 15:00:55 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Fixed some erroneous failures.

The server_ctx list of suites needs to be restored after the Suite-B tests.
Otherwise the server will select a different suite than the testsuite expects.

2014-12-22 15:00:36 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Use same DN for the RSA certs as for the others.

The RSA cert is created via a different taste of the
Standards.PKCS.Certificate.build_distinguished_name() than
the DSA and ECDSA certs. Reorder the fields to make sure
that the exact same DN is generated in both cases.

Fixes issue where SSL.Context()->find_cert_issuer() either
didn't find the RSA certs, or didn't found only the RSA certs.

2014-12-22 14:59:56 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Added some tests of client certificates.

2014-12-21

2014-12-21 11:18:27 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Fixed some erroneous failures.

The server_ctx list of suites needs to be restored after the Suite-B tests.
Otherwise the server will select a different suite than the testsuite expects.

2014-12-20

2014-12-20 21:23:42 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [SSL]: Use same DN for the RSA certs as for the others.

The RSA cert is created via a different taste of the
Standards.PKCS.Certificate.build_distinguished_name() than
the DSA and ECDSA certs. Reorder the fields to make sure
that the exact same DN is generated in both cases.

Fixes issue where SSL.Context()->find_cert_issuer() either
didn't find the RSA certs, or didn't found only the RSA certs.

2014-12-12

2014-12-12 16:10:24 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Preparations for testing TLS 1.3.

The SSL testsuite now knows some about which suites that are to be
obsoleted in TLS 1.3.

2014-12-06

2014-12-06 10:16:35 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Added some tests of client certificates.

2014-12-03

2014-12-03 18:47:48 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Reordered some constants for clarity.

Also removes some redundant stuff from the testsuite.

2014-11-29

2014-11-29 16:38:31 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Test SSL session resumption.

2014-11-29 12:15:29 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Test SSL session resumption.

2014-11-28

2014-11-28 17:07:44 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Fixed some state machine bugs in the SSL testsuite.

In some cases the when both the client and server have emptied their
send buffers, the last packet of data from the client may still be in
transit, so wait for all data to arrive at the server before closing
the server side of the connection.

Fixes issue with getting spurious truncated data in the SSL testsuite.

Also fixes bug where client->connect() detecting an expected
handshaking failure caused the threaded test to backtrace.

2014-11-27

2014-11-27 22:48:11 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Fixed some state machine bugs in the SSL testsuite.

In some cases the when both the client and server have emptied their
send buffers, the last packet of data from the client may still be in
transit, so wait for all data to arrive at the server before closing
the server side of the connection.

Fixes issue with getting spurious truncated data in the SSL testsuite.

Also fixes bug where client->connect() detecting an expected
handshaking failure caused the threaded test to backtrace.

2014-11-20

2014-11-20 15:19:25 by Martin Nilsson <nilsson@opera.com>

Added the aliases from RFC 5469.

2014-11-05

2014-11-05 21:10:46 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [ssl]: Test the negotiated protocol version.

Test cipher-suite driven protocol downgrade for all client/server
combinations.

Test that the negotiated SSL/TLS version is the expected version.

2014-11-05 20:53:05 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [ssl]: Test the negotiated protocol version.

Test cipher-suite driven protocol downgrade for all client/server
combinations.

Test that the negotiated SSL/TLS version is the expected version.

2014-11-04

2014-11-04 16:33:23 by Martin Nilsson <nilsson@opera.com>

Use non-deprecated APIs

2014-11-03

2014-11-03 15:07:18 by Martin Nilsson <nilsson@opera.com>

Use the new PEM methods.

2014-11-03 13:28:58 by Martin Nilsson <nilsson@opera.com>

Don't spam the console with random data.

2014-11-03 13:25:50 by Martin Nilsson <nilsson@opera.com>

Don't spam the console with random data.

2014-11-03 12:31:23 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [ssl]: Fixed some special cases.

The certificates used by the testsuite don't support the
KE_dh_rsa and KE_ecdh_rsa suites in TLS 1.1 and earlier.
This means that the corresponding deprecated suites will
fail even after protocol version downgrade.

Fixes [LysLysKOM 21032408].

2014-11-03 12:25:30 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite [ssl]: Fixed some special cases.

The certificates used by the testsuite don't support the
KE_dh_rsa and KE_ecdh_rsa suites in TLS 1.1 and earlier.
This means that the corresponding deprecated suites will
fail even after protocol version downgrade.

Fixes [LysLysKOM 21032408].

2014-11-03 08:48:35 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Test cipher-suite driven downgrade.

The full suite is now run when the minimum protocol version
is SSL 3.0 for both client and server, and the maximum
protocol version is the same for client and server.

This allows testing of downgrading to older protocol
versions due to the only common cipher suite being
removed in the common protocol version.

Also shortens "expected" to "exp" in lots of places to get past the
m4 4096 byte limit.

2014-11-03 08:48:15 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Test cipher-suite driven downgrade.

The full suite is now run when the minimum protocol version
is SSL 3.0 for both client and server, and the maximum
protocol version is the same for client and server.

This allows testing of downgrading to older protocol
versions due to the only common cipher suite being
removed in the common protocol version.

Also shortens "expected" to "exp" in lots of places to get past the
m4 4096 byte limit.

2014-10-20

2014-10-20 17:00:43 by Martin Nilsson <nilsson@opera.com>

Fix for systems without ECC.

2014-10-20 17:00:18 by Martin Nilsson <nilsson@opera.com>

Fix for systems without ECC.

2014-10-20 15:45:17 by Martin Nilsson <nilsson@opera.com>

Fix for systems without SHA384 or SHA512

2014-10-20 15:30:07 by Martin Nilsson <nilsson@opera.com>

Fix for systems without SHA384 or SHA512

2014-10-15

2014-10-15 20:52:42 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: SSL 3.0 doesn't support ECC...

2014-10-15 20:50:58 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: SSL 3.0 doesn't support ECC...

2014-09-30

2014-09-30 16:57:14 by Martin Nilsson <nilsson@opera.com>

Somewhat more unwieldy parts interface for single messages, but easier for e.g. certificate chains.

2014-09-18

2014-09-18 05:11:48 by Martin Nilsson <nilsson@opera.com>

Removed compat support for Pike 7.4.

2014-08-15

2014-08-15 20:21:17 by Martin Nilsson <nilsson@opera.com>

Less zero_type.

2014-08-03

2014-08-03 15:18:17 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Don't test so many SSL suites in threaded mode.

Testing just the basic set of suites should be sufficient in
threaded blocking mode (as long as the corresponding nonblocking
test tests all the suites).

2014-08-03 13:34:57 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Keep better track of skipped SSL tests.

2014-08-03 10:11:37 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Test SSL.File in threaded blocking mode.

The main SSL.File testsuite now tests all suites in both
nonblocking callback mode and threaded blocking mode.

2014-07-20

2014-07-20 11:08:36 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Make sure that there are valid certs for old TLS.

Old versions of TLS (before TLS 1.2) can't use SHA256 certs
for most suites as the suites use SHA1 (or even MD5) which
is too weak for SHA256 certs.

This problem was introduced by the GnuTLS interop fix.

2014-06-30

2014-06-30 16:51:46 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Added cipher suites from RFC 7251.

This adds ECDHE/ECDSA variants of the AES-CCM suites from RFC 6655.

NB: Note that there still doesn't seem to be any corresponding
suites with ECDHE/RSA.

2014-06-01

2014-06-01 11:49:27 by Martin Nilsson <nilsson@opera.com>

sslfile -> File and sslport -> port

2014-05-31

2014-05-31 14:57:12 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Don't attempt ECDH suites if we don't have ECC.

Thanks to Chris Angelico <rosuav@gmail.com> for the report.

Fixes [LysLysKOM 20839290]/[Pike mailinglist 13992].

2014-05-29

2014-05-29 11:29:22 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.sslfile: Write multiple packets in the same write().

Use the support for writev(2) to write the packets in the write_buffer.

This should improve data throughput measurably.

NB: This reduces the number of required rounds in the backend
during handshaking to the old level.

2014-05-29 11:15:29 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.sslfile: Consolidate packets in queue_write().

queue_write() now attempts to keep ~16KB of data to send in the
write_buffer.

NB: For some reason this causes the required number of runs through the
backend during handshaking to increase somewhat.

2014-05-24

2014-05-24 13:04:45 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Moved the async TLS close tests.

The async TLS close tests are now run from the main SSL testsuite,
to avoid missing them when running restricted tests.

FIXME: Consider moving the async_tls_close_test.pike script
somewhere else (Tools.Standalone?).

2014-05-17

2014-05-17 11:43:36 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.sslfile: Changed client/server selection API.

Client and server operation is now selected by calling either
connect() (client-side) or accept() (server-side) after creating
the SSL.sslfile object.

Blocking handshaking mode is selected by calling set_blocking()
before either of the above.

2014-05-16

2014-05-16 18:10:39 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Added support for the ChaCha20-Poly1305 suites.

2014-05-15

2014-05-15 20:20:05 by Martin Nilsson <nilsson@opera.com>

Renamed SSL.context to SSL.Context.

2014-05-04

2014-05-04 17:44:46 by Martin Nilsson <nilsson@opera.com>

Compile fixes.

2014-05-04 14:38:39 by Martin Nilsson <nilsson@opera.com>

alert -> Alert.

2014-05-04 14:11:09 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Added some support for Suite B (RFC 6460).

Adds API for simple configuration of Suite B compliance.

NB: There are still some issues left for full compliance.

2014-05-04 12:18:50 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Check that we get the expected SSL suite.

2014-05-01

2014-05-01 20:16:46 by Martin Nilsson <nilsson@opera.com>

packet -> Packet. Slowly moving towards import ".".

2014-04-27

2014-04-27 17:13:22 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Crypto.GCM has moved to Crypto.AES.GCM.

Fixes complaints about the GCM suites not being supported.

2014-04-27 17:09:03 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Improved diagnostics for the SSL tests.

The alert that caused the SSL failure should now be logged if
a failure wasn't expected.

Fixed reporting of the SSL/TLS version in several places.

2014-04-21

2014-04-21 17:36:27 by Martin Nilsson <nilsson@opera.com>

I have no interest to debug deprecated and experimental cipher suites from unreleased version of SSL.

2014-04-18

2014-04-18 03:16:42 by Martin Nilsson <nilsson@opera.com>

Fix m4 issue.

2014-04-17

2014-04-17 15:00:35 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: More KE_rsa_fips suites.

According to comments in <nss/sslproto.h> these two suites were
old aliases for the other two KE_rsa_fips suites.

Also adjusts the names to match NSS's names for the two constants.

2014-04-17 14:37:17 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Support KE_rsa_fips.

This seems to have been a key exchange method used to test the TLS 1.0 PRF
during SSL 3.0.

SSL_rsa_fips_with_3des_ede_cbc_sha interoperates with Firefox 24.4.0.

2014-04-10

2014-04-10 19:29:41 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL.Constants: Added some missing MD5 suites.

Note: These suites are in the range earlier reserved for private use.

2014-04-05

2014-04-05 11:07:34 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Protocol version handling cleanup.

The protocol version is now represented the same way everywhere;
a 16-bit integer with the major (ie 3) in the high 8 bits, and
the minor in the low 8 bits.

Previously there was a mix between having a two element array,
and just keeping track of the minor.

Also strengthens the types of version variables in a few places.

2014-04-04

2014-04-04 19:17:33 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Moved configuration of version restrictions to the context.

The minimum and maximum accepted SSL/TLS versions are now
configured by setting the corresponding variables in the
context object.

This is in line with how other SSL parameters are configured.

2014-03-29

2014-03-29 01:18:45 by Martin Nilsson <nilsson@opera.com>

Some more renaming. Now all MAC objects have the same API. hash does HMAC, hash_packet does HMAC with header and hash_raw does hash with the underlying hash algorithm.

2014-03-29 00:57:35 by Martin Nilsson <nilsson@opera.com>

Name changes. hash to hash_packet and hash_raw to hash.

2014-03-28

2014-03-28 18:03:12 by Martin Nilsson <nilsson@opera.com>

Let the data size be a prime number, so it doesn't match any block size of anything.

2014-03-22

2014-03-22 12:27:00 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Update testsuite to new get_suites() API.

2014-03-18

2014-03-18 21:46:41 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Added the CCM cipher suites from RFC 6655.

2014-03-15

2014-03-15 10:44:49 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Support old Nettle again.

The SSL.Constants.CIPHER_SUITES validator now knows about
the exceptions in the table when features are missing.

2014-03-15 10:30:54 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Added validation of SSL.Constants.CIPHER_SUITES.

The testsuite now ensures that the CIPHER_SUITES table is up to date,
complete and correct, by deriving the expected table entry from the
cipher suite symbol name.

2014-03-15 10:29:56 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Added some more TLS exceptions.

2014-03-14

2014-03-14 18:47:19 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Added filtering of DH_DSS/DH_RSA on cert type.

Refactors the certificate selection by using bitmasks on
the key exchange algorithm. This should provide a minor
speedup of the certificate selection code.

Also unifies handling of DH_DSS/DH_RSA and ECDH_ECDSA/ECDH_RSA
when TLS 1.2 or later is in use.

2014-03-13

2014-03-13 18:37:33 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Added support for some DH cipher suites.

This adds support for the DH_DSS and DH_RSA key exchange
methods, and adds the corresponding cipher suites.

Note that the only difference between the two is whether the
server certificate is signed with DSS or RSA.

2014-03-12

2014-03-12 18:09:56 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Added support for some ECDH cipher suites.

This adds support for the ECDH_ECDSA and ECDH_RSA key exchange
methods, and adds the corresponding cipher suites.

Note that the only difference between the two is whether the
server certificate is signed with ECDSA or RSA.

2014-03-09

2014-03-09 12:51:14 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Test multiple certificates in a single SSL context.

2014-03-07

2014-03-07 20:26:31 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Use add_cert() in the SSL testsuite.

2014-03-01

2014-03-01 07:26:34 by Martin Nilsson <nilsson@opera.com>

Remove deprecated ecdsa accessor. Since ecdsa is new, it doesn't make sense to add legacy API for it.

2014-02-21

2014-02-21 15:52:01 by Martin Nilsson <nilsson@opera.com>

With not only RSA certificates working, and the API made cipher-agnostic, there is no need to access crypto primitives directly. Deprecate the direct access (though it appears the neither prototypes nor getters/setters can actually use deprecation attributes).

2014-02-18

2014-02-18 14:45:43 by Martin Nilsson <nilsson@opera.com>

Removed dead code.

2014-02-12

2014-02-12 16:56:16 by Martin Nilsson <nilsson@opera.com>

Fixed fixme: Test all the supported ECC curves.

2014-02-12 16:00:12 by Martin Nilsson <nilsson@opera.com>

Cleaned up the internal test API.

2014-02-12 15:51:35 by Martin Nilsson <nilsson@opera.com>

Allow the server to have more than one cipher suite, so that suite selection can be tested (although not tested yet). Added explicitly destructs of client and server, which appears to be needed.

2014-02-12 15:29:53 by Martin Nilsson <nilsson@opera.com>

Moved the actual setting up and testing of an SSL connection to a separate function.

2014-01-14

2014-01-14 13:16:54 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Test SSL with ECDSA.

2014-01-05

2014-01-05 15:14:13 by Marcus Comstedt <marcus@mc.pp.se>

Merge branch '8.0' into gobject-introspection

2014-01-04

2014-01-04 14:40:53 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Cleanup the TLS 1.1 and TLS 1.2 testsuite.

List a few more cipher suites that were obsoleted in later TLS versions.

2014-01-02

2014-01-02 16:24:44 by Martin Nilsson <nilsson@opera.com>

Cleaned up HMAC code a bit.

2013-12-22

2013-12-22 15:29:46 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Don't attempt AEAD algorithms before TLS 1.2.

TLS 1.1 and earlier does not support AEAD algorithms,
so don't attempt to use them in that case.

2013-12-19

2013-12-19 18:07:54 by Martin Nilsson <nilsson@opera.com>

Removed accidentally added debug code.

2013-12-03

2013-12-03 00:08:42 by Martin Nilsson <nilsson@opera.com>

Support dhe_dss_mode().

2013-11-30

2013-11-30 22:57:04 by Martin Nilsson <nilsson@opera.com>

Cut test time by 90% by only testing each cipher for each negotiated SSL/TLS version.

2013-11-30 22:41:21 by Martin Nilsson <nilsson@opera.com>

Moving cond_end and reindent.

2013-11-30 21:29:38 by Martin Nilsson <nilsson@opera.com>

Added the weak DES40 versions to the invalid suites. Now completes without errors.

2013-11-27

2013-11-27 21:52:31 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Fixed minor typo in the testsuite.

2013-11-26

2013-11-26 22:43:17 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Testsuite: Don't attempt to use obsolete suites with recent TLS.

2013-11-25

2013-11-25 20:49:36 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Update testsuite to new RSA()->generate_keys() API.

Also adds tests of TLS 1.2.

2013-11-11

2013-11-11 15:40:44 by Martin Nilsson <nilsson@opera.com>

Use cond_begin/cond_end instead of cond_resolv, since it breaks with larger input.

2013-11-02

2013-11-02 16:25:13 by Per Hedbor <ph@opera.com>

Close the client and server connections in the SSL test

We were running out of FD:s on OSX, where the default max is 256

2013-10-29

2013-10-29 15:56:02 by Martin Nilsson <nilsson@opera.com>

Merged dsa_sign_key with rsa_sign key, and make_selfsigned_dsa_certificate with make_selfsigned_rsa_certificate. These are obsoleted by sign_key and make_selfsigned_certificate

2013-10-27

2013-10-27 22:56:10 by Martin Nilsson <nilsson@opera.com>

Use less random random to speed things up.

2013-10-26

2013-10-26 13:36:50 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Test all supported cipher suites.

This currently breaks the testsuite, since the client
code for the ciphers rc4_40 and null seem to be broken.

2013-08-16

2013-08-16 01:16:36 by Martin Nilsson <nilsson@opera.com>

Tools.X509 -> Standards.X509

2013-08-12

2013-08-12 20:29:29 by Martin Nilsson <nilsson@opera.com>

Rewrote PEM.

2013-08-12 14:42:38 by Martin Nilsson <nilsson@opera.com>

Use Standards.PEM instead of Tools.PEM.

2013-08-01

2013-08-01 12:23:03 by Martin Nilsson <nilsson@opera.com>

files is moved to _Stdio

2012-04-01

2012-04-01 16:15:04 by Arne Goedeke <el@laramies.com>

Merge remote branch 'origin/7.9' into breaking_into_pieces

2012-02-19

2012-02-19 18:00:48 by Marcus Comstedt <marcus@mc.pp.se>

SSL: Fix misspelling of "test_do" in testsuite

2011-12-15

2011-12-15 19:02:10 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Moved cond to proper place in the testsuite.

2011-12-15 18:59:49 by Henrik Grubbström (Grubba) <grubba@grubba.org>

SSL: Added tests that client and server are compatible.

2011-11-05

2011-11-05 15:02:44 by Martin Nilsson <nilsson@opera.com>

Removed $Id$.

2011-10-10

2011-10-10 20:30:15 by Martin Stjernholm <mast@lysator.liu.se>

Fixed bug where SSL.sslfile.close could block for nonclean (normal) close on
the client side.

The problem was that close() could do a blocking wait for a remote close
packet or socket close, which it should only do if a "clean" close is
requested. Note that this only happened for close in blocking mode, so the
bug was not that serious.

Also made the handling of clean closes in nonblocking mode more consistent,
which meant some slight changes in the semantics for shutdown() and
is_open().

2011-04-25

2011-04-25 16:41:40 by Martin Stjernholm <mast@lysator.liu.se>

No more foreign_idents.

More pain than they are worth.

2011-04-25 16:12:40 by Martin Stjernholm <mast@lysator.liu.se>

No more foreign_idents.

2011-04-25 16:11:00 by Martin Stjernholm <mast@lysator.liu.se>

No more foreign_idents.

2008-04-30

2008-04-30 17:01:38 by Martin Nilsson <mani@lysator.liu.se>

Don't use legacy notation in tests.

Rev: lib/modules/SSL.pmod/testsuite.in:1.9

2004-05-02

2004-05-02 18:46:49 by Martin Nilsson <mani@lysator.liu.se>

Added markers

Rev: lib/7.0/modules/testsuite.in:1.3
Rev: lib/7.2/modules/testsuite.in:1.2
Rev: lib/7.4/modules/Crypto.pmod/testsuite.in:1.12
Rev: lib/7.4/modules/testsuite.in:1.2
Rev: lib/modules/ADT.pmod/testsuite.in:1.15
Rev: lib/modules/Calendar.pmod/testsuite.in:1.12
Rev: lib/modules/Crypto.pmod/testsuite.in:1.38
Rev: lib/modules/Filesystem.pmod/testsuite.in:1.2
Rev: lib/modules/Graphics.pmod/Graph.pmod/testsuite.in:1.3
Rev: lib/modules/Parser.pmod/LR.pmod/testsuite.in:1.2
Rev: lib/modules/Parser.pmod/XML.pmod/testsuite.in:1.5
Rev: lib/modules/Pike.pmod/testsuite.in:1.3
Rev: lib/modules/Protocols.pmod/XMLRPC.pmod/testsuite.in:1.2
Rev: lib/modules/SSL.pmod/testsuite.in:1.8
Rev: lib/modules/Standards.pmod/ASN1.pmod/testsuite.in:1.8
Rev: lib/modules/Standards.pmod/testsuite.in:1.12
Rev: lib/modules/Stdio.pmod/testsuite.in:1.6
Rev: lib/modules/Tools.pmod/testsuite.in:1.11
Rev: lib/modules/Web.pmod/testsuite.in:1.10
Rev: lib/modules/Yabu.pmod/testsuite.in:1.4
Rev: src/modules/CommonLog/testsuite.in:1.3
Rev: src/modules/Gdbm/testsuite.in:1.7
Rev: src/modules/Gmp/testsuite.in:1.29
Rev: src/modules/Gz/testsuite.in:1.19
Rev: src/modules/Image/testsuite.in:1.18
Rev: src/modules/Java/testsuite.in:1.6
Rev: src/modules/MIME/testsuite.in:1.9
Rev: src/modules/Math/testsuite.in:1.8
Rev: src/modules/Parser/testsuite.in:1.57
Rev: src/modules/Perl/testsuite.in:1.4
Rev: src/modules/Regexp/testsuite.in:1.13
Rev: src/modules/_Charset/testsuite.in:1.8
Rev: src/modules/_Image_GIF/testsuite.in:1.2
Rev: src/modules/_Regexp_PCRE/testsuite.in:1.3
Rev: src/modules/_Roxen/testsuite.in:1.5
Rev: src/modules/_math/testsuite.in:1.12
Rev: src/modules/files/testsuite.in:1.34
Rev: src/modules/spider/testsuite.in:1.11
Rev: src/modules/sprintf/testsuite.in:1.37
Rev: src/modules/system/testsuite.in:1.17
Rev: src/post_modules/Bz2/testsuite.in:1.8
Rev: src/post_modules/Nettle/testsuite.in:1.14
Rev: src/post_modules/Unicode/testsuite.in:1.7
Rev: src/post_modules/_ADT/testsuite.in:1.5
Rev: src/post_modules/_Image_SVG/testsuite.in:1.3
Rev: src/testsuite.in:1.725

2004-02-28

2004-02-28 14:58:34 by Martin Nilsson <mani@lysator.liu.se>

Don't do crypto tests when we have no crypto.

Rev: lib/7.4/modules/Crypto.pmod/testsuite.in:1.9
Rev: lib/modules/Crypto.pmod/testsuite.in:1.34
Rev: lib/modules/SSL.pmod/testsuite.in:1.7

2004-02-03

2004-02-03 13:53:02 by Martin Nilsson <mani@lysator.liu.se>

Use Nettle

Rev: lib/modules/Crypto.pmod/aes.pike:1.3
Rev: lib/modules/Crypto.pmod/des3.pike:1.2
Rev: lib/modules/Protocols.pmod/HTTP.pmod/Server.pmod/SSLPort.pike:1.8
Rev: lib/modules/SSL.pmod/context.pike:1.29
Rev: lib/modules/SSL.pmod/handshake.pike:1.46
Rev: lib/modules/SSL.pmod/https.pike:1.15
Rev: lib/modules/SSL.pmod/testsuite.in:1.6
Rev: lib/modules/Standards.pmod/PKCS.pmod/CSR.pmod:1.10
Rev: lib/modules/Standards.pmod/PKCS.pmod/RSA.pmod:1.19
Rev: lib/modules/Tools.pmod/X509.pmod:1.26

2003-11-13

2003-11-13 16:04:49 by Henrik Grubbström (Grubba) <grubba@grubba.org>

Should now work on systems without Nettle.

Rev: lib/modules/SSL.pmod/testsuite.in:1.5

2003-11-09

2003-11-09 23:11:15 by Martin Nilsson <mani@lysator.liu.se>

Beginning of a SSL test. Currently just sets up an SSL context.

Rev: lib/modules/SSL.pmod/testsuite.in:1.4

2003-04-15

2003-04-15 14:45:32 by Niels Möller <nisse@lysator.liu.se>

Started writing a https test. Doesn't work yet, though.

Rev: lib/modules/SSL.pmod/testsuite.in:1.3

2003-02-07

2003-02-07 12:16:59 by Johan Sundström <oyasumi@gmail.com>

Added newline at EOF.

Rev: lib/modules/Crypto/testsuite.in:1.3
Rev: lib/modules/Graphics.pmod/Graph.pmod/testsuite.in:1.2
Rev: lib/modules/SSL.pmod/testsuite.in:1.2
Rev: lib/modules/Standards.pmod/ASN1.pmod/testsuite.in:1.3
Rev: lib/modules/String.pmod/testsuite.in:1.5
Rev: src/post_modules/Unicode/testsuite.in:1.4

2003-02-07 03:15:15 by Martin Nilsson <mani@lysator.liu.se>

Test compatibility

Rev: lib/modules/SSL.pmod/testsuite.in:1.1