Name Date Size #Lines LOC

..--

certs/H--9,3198,795

ct/H--5442

d2i-tests/H--

helpers/H--5,5794,164

ocsp-tests/H--1,9151,847

recipes/H--214,425188,344

smime-certs/H--697624

smime-eml/H--9486

ssl-tests/H--41,97232,651

testutil/H--2,9372,188

CAtsa.cnfH A D02-Feb-20244.9 KiB165128

README-dev.mdH A D02-Feb-20245.3 KiB161117

README-external.mdH A D02-Feb-20243.1 KiB11774

README.mdH A D02-Feb-20246.1 KiB171113

README.ssltest.mdH A D02-Feb-202410.4 KiB286205

aborttest.cH A D02-Feb-2024467 176

acvp_test.cH A D02-Feb-202451.7 KiB1,5031,317

acvp_test.incH A D02-Feb-202482 KiB2,0361,967

aesgcmtest.cH A D02-Feb-20244.8 KiB137114

afalgtest.cH A D02-Feb-20244.6 KiB161123

algorithmid_test.cH A D02-Feb-202410.3 KiB329268

asn1_decode_test.cH A D02-Feb-20246.3 KiB236163

asn1_dsa_internal_test.cH A D02-Feb-20245.7 KiB185138

asn1_encode_test.cH A D02-Feb-202429.7 KiB909698

asn1_internal_test.cH A D02-Feb-20245.4 KiB201123

asn1_stable_parse_test.cH A D02-Feb-20241.8 KiB8255

asn1_string_table_test.cH A D02-Feb-20241.9 KiB7853

asn1_time_test.cH A D02-Feb-202417.7 KiB419347

asynciotest.cH A D02-Feb-202412.3 KiB418297

asynctest.cH A D02-Feb-202412.8 KiB436355

bad_dtls_test.cH A D27-Jun-202420.3 KiB608435

bftest.cH A D02-Feb-202415.9 KiB488414

bio_callback_test.cH A D02-Feb-202413.6 KiB361316

bio_core_test.cH A D02-Feb-20243.4 KiB12089

bio_enc_test.cH A D02-Feb-20247.4 KiB267214

bio_memleak_test.cH A D02-Feb-20247.2 KiB292240

bio_prefix_text.cH A D02-Feb-20247.4 KiB268209

bio_readbuffer_test.cH A D02-Feb-20243.8 KiB13296

bioprinttest.cH A D02-Feb-202412.5 KiB363291

bn_internal_test.cH A D02-Feb-20242.6 KiB10675

bn_rand_range.hH A D02-Feb-20242 KiB5944

bntest.cH A D02-Feb-202497.9 KiB3,1962,662

bntests.plH A D02-Feb-20244.5 KiB157121

build.infoH A D08-Sep-202437.3 KiB982784

ca-and-certs.cnfH A D02-Feb-20242.2 KiB9076

casttest.cH A D02-Feb-20243.2 KiB11985

chacha_internal_test.cH A D02-Feb-20248 KiB191163

cipher_overhead_test.cH A D02-Feb-20241.7 KiB6342

cipherbytes_test.cH A D02-Feb-20244.4 KiB150115

cipherlist_test.cH A D02-Feb-20247 KiB254198

ciphername_test.cH A D02-Feb-202420.6 KiB471436

clienthellotest.cH A D02-Feb-20248.5 KiB270178

cmactest.cH A D02-Feb-20246 KiB217168

cmp_asn_test.cH A D02-Feb-20244 KiB137105

cmp_client_test.cH A D02-Feb-202418.4 KiB556462

cmp_ctx_test.cH A D02-Feb-202430.7 KiB897769

cmp_hdr_test.cH A D27-Jun-202414 KiB495387

cmp_msg_test.cH A D02-Feb-202418.2 KiB599506

cmp_protect_test.cH A D02-Feb-202421.4 KiB622530

cmp_server_test.cH A D02-Feb-20245.5 KiB173122

cmp_status_test.cH A D02-Feb-20243.2 KiB11372

cmp_vfy_test.cH A D02-Feb-202423.6 KiB707601

cms-examples.plH A D02-Feb-20248.7 KiB366289

cmsapitest.cH A D02-Feb-202415.6 KiB413358

conf_include_test.cH A D02-Feb-20245.7 KiB239180

confdump.cH A D02-Feb-20241.4 KiB5236

constant_time_test.cH A D02-Feb-202412.3 KiB415351

context_internal_test.cH A D02-Feb-20243.6 KiB13887

crltest.cH A D08-Sep-202415.9 KiB455362

ct_test.cH A D27-Jun-202415.8 KiB528415

ctype_internal_test.cH A D02-Feb-20242.7 KiB9167

curve448_internal_test.cH A D02-Feb-202435.9 KiB738643

d2i_test.cH A D02-Feb-20244.1 KiB170120

dane-cross.inH A D02-Feb-20246.9 KiB114112

danetest.cH A D02-Feb-202411 KiB431343

danetest.inH A D02-Feb-202494.5 KiB2,0081,946

danetest.pemH A D02-Feb-2024652 1514

data.binH A D02-Feb-2024128 53

data2.binH A D02-Feb-20243.7 KiB6256

default-and-fips.cnfH A D02-Feb-2024264 1711

default-and-legacy.cnfH A D02-Feb-2024271 1812

default.cnfH A D02-Feb-2024222 149

defltfips_test.cH A D02-Feb-20243 KiB10969

destest.cH A D02-Feb-202431.4 KiB896759

dhtest.cH A D02-Feb-202436 KiB955771

drbgtest.cH A D02-Feb-202426.9 KiB907585

dsa_no_digest_size_test.cH A D02-Feb-20248.5 KiB252185

dsatest.cH A D27-Jun-202418 KiB502436

dtls_mtu_test.cH A D02-Feb-20247.1 KiB243167

dtlstest.cH A D02-Feb-202419.6 KiB613433

dtlsv1listentest.cH A D02-Feb-202412.3 KiB358299

ec_internal_test.cH A D02-Feb-202414.6 KiB463347

ecdsatest.cH A D27-Jun-202414.6 KiB400264

ecdsatest.hH A D02-Feb-2024673.6 KiB10,21510,189

ecstresstest.cH A D27-Jun-20244.1 KiB157112

ectest.cH A D02-Feb-2024121.8 KiB3,0452,403

endecode_test.cH A D08-Sep-202458 KiB1,5171,295

endecoder_legacy_test.cH A D02-Feb-202427.8 KiB732595

enginetest.cH A D02-Feb-202413 KiB466342

errtest.cH A D02-Feb-202410.5 KiB349243

evp_byname_test.cH A D08-Sep-2024900 4125

evp_extra_test.cH A D08-Sep-2024184.3 KiB5,5484,514

evp_extra_test2.cH A D02-Feb-202454 KiB1,2961,079

evp_fetch_prov_test.cH A D02-Feb-202410.4 KiB393309

evp_kdf_test.cH A D02-Feb-202458.1 KiB1,7391,432

evp_libctx_test.cH A D02-Feb-202429.3 KiB767613

evp_pkey_ctx_new_from_name.cH A D02-Feb-2024279 1511

evp_pkey_dparams_test.cH A D02-Feb-202413.5 KiB325289

evp_pkey_provided_test.cH A D27-Jun-202469.4 KiB1,7871,506

evp_test.cH A D27-Jun-2024120.6 KiB4,1753,508

exdatatest.cH A D02-Feb-20248.1 KiB320246

exptest.cH A D02-Feb-20249.3 KiB338259

ext_internal_test.cH A D02-Feb-20242.8 KiB10688

fake_rsaprov.cH A D02-Feb-202416 KiB532408

fake_rsaprov.hH A D02-Feb-2024543 164

fatalerrtest.cH A D02-Feb-20242.9 KiB10269

ffc_internal_test.cH A D02-Feb-202427.5 KiB712578

filterprov.cH A D02-Feb-20247.2 KiB239167

filterprov.hH A D02-Feb-2024523 154

fips-alt.cnfH A D02-Feb-2024376 1712

fips-and-base.cnfH A D02-Feb-2024255 1711

fips.cnfH A D02-Feb-2024474 2014

fips_version_test.cH A D02-Feb-20241.7 KiB7958

generate_buildtest.plH A D02-Feb-2024796 3521

generate_ssl_tests.plH A D02-Feb-20244.7 KiB15692

gmdifftest.cH A D02-Feb-20241.9 KiB6845

hexstr_test.cH A D08-Sep-20243.6 KiB140114

hmactest.cH A D02-Feb-20248.2 KiB303240

http_test.cH A D02-Feb-202412.1 KiB396329

ideatest.cH A D02-Feb-20243.9 KiB12792

igetest.cH A D02-Feb-202416.4 KiB463378

insta.priv.pemH A D02-Feb-20241.6 KiB2827

insta_ca.cert.pemH A D02-Feb-20241.3 KiB2322

invalid-x509.cnfH A D02-Feb-2024125 75

keymgmt_internal_test.cH A D27-Jun-202411.5 KiB359277

legacy.cnfH A D02-Feb-2024219 149

lhash_test.cH A D02-Feb-20246 KiB250188

localetest.cH A D02-Feb-20246.4 KiB137117

mdc2_internal_test.cH A D02-Feb-20241.7 KiB7840

mdc2test.cH A D02-Feb-20242.6 KiB9669

memleaktest.cH A D02-Feb-20241.7 KiB6332

modes_internal_test.cH A D02-Feb-202429.2 KiB900742

moduleloadtest.cH A D02-Feb-20241.3 KiB5432

namemap_internal_test.cH A D02-Feb-20244.8 KiB184134

nodefltctxtest.cH A D02-Feb-20241.7 KiB6128

null.cnfH A D02-Feb-2024213 149

ocspapitest.cH A D02-Feb-20246.3 KiB237195

ossl_store_test.cH A D02-Feb-20245.9 KiB239199

p_minimal.cH A D02-Feb-2024765 259

p_test.cH A D02-Feb-202410.9 KiB321223

packettest.cH A D02-Feb-202415.2 KiB500409

param_build_test.cH A D02-Feb-202420.5 KiB536468

params_api_test.cH A D02-Feb-202424.6 KiB715616

params_conversion_test.cH A D02-Feb-202411.9 KiB369319

params_test.cH A D02-Feb-202424.3 KiB713501

pathed.cnfH A D27-Jun-2024356

pbelutest.cH A D02-Feb-20241.4 KiB5130

pbetest.cH A D02-Feb-20244.8 KiB168122

pem_read_depr_test.cH A D02-Feb-20244.1 KiB217158

pemtest.cH A D02-Feb-20244.5 KiB168134

pkcs12_format_test.cH A D02-Feb-202435.2 KiB962731

pkcs7-1.pemH A D02-Feb-2024851 1615

pkcs7.pemH A D02-Feb-20243.7 KiB5554

pkcs7_test.cH A D02-Feb-20245.7 KiB10489

pkey_meth_kdf_test.cH A D27-Jun-20246.8 KiB205182

pkey_meth_test.cH A D02-Feb-20242.3 KiB9166

pkits-test.plH A D02-Feb-202431.2 KiB906843

poly1305_internal_test.cH A D02-Feb-202456.2 KiB1,5761,402

property_test.cH A D02-Feb-202423.3 KiB677587

prov_config_test.cH A D08-Sep-20243.4 KiB14198

provfetchtest.cH A D02-Feb-20248.4 KiB298235

provider_fallback_test.cH A D08-Sep-20241.5 KiB6443

provider_internal_test.cH A D08-Sep-20244.1 KiB152111

provider_internal_test.cnf.inH A D02-Feb-2024347 1712

provider_pkey_test.cH A D02-Feb-20248.4 KiB309220

provider_status_test.cH A D02-Feb-20247.2 KiB246199

provider_test.cH A D08-Sep-20247.7 KiB272191

proxy.cnfH A D02-Feb-20241.7 KiB6150

punycode_test.cH A D02-Feb-20248 KiB221193

rand_status_test.cH A D02-Feb-2024673 2811

rand_test.cH A D02-Feb-20242 KiB5439

rc2test.cH A D02-Feb-20242.1 KiB7549

rc4test.cH A D02-Feb-20244.1 KiB135104

rc5test.cH A D02-Feb-20249.1 KiB244207

rdrand_sanitytest.cH A D02-Feb-20243.3 KiB12377

recordlentest.cH A D02-Feb-20245.4 KiB205153

recursive.cnfH A D02-Feb-2024129 96

rsa_complex.cH A D02-Feb-2024909 3313

rsa_mp_test.cH A D02-Feb-202411.3 KiB297237

rsa_sp800_56b_test.cH A D02-Feb-202420.9 KiB549444

rsa_test.cH A D02-Feb-202420.2 KiB517416

run_tests.plH A D02-Feb-202411.9 KiB340234

sanitytest.cH A D02-Feb-20244.4 KiB144104

secmemtest.cH A D02-Feb-20245.9 KiB184112

serverinfo.pemH A D02-Feb-2024740 1715

serverinfo2.pemH A D02-Feb-2024412 98

servername_test.cH A D02-Feb-20247.4 KiB269194

session.pemH A D02-Feb-20241.9 KiB3231

sha_test.cH A D02-Feb-20243.7 KiB11188

shibboleth.pfxH A D02-Feb-20242.5 KiB

shlibloadtest.cH A D02-Feb-20248.9 KiB293230

simpledynamic.cH A D02-Feb-20241.7 KiB7955

simpledynamic.hH A D02-Feb-20241.2 KiB5230

siphash_internal_test.cH A D02-Feb-202417.1 KiB292244

sm2_internal_test.cH A D27-Jun-202414.6 KiB429342

sm3_internal_test.cH A D02-Feb-20242.6 KiB8554

sm4_internal_test.cH A D02-Feb-20242.3 KiB8749

smcont.binH A D02-Feb-20247.8 KiB

smcont.txtH A D02-Feb-202483 11

smcont_zero.txtH A D02-Feb-20240

sparse_array_test.cH A D02-Feb-20245.6 KiB198164

srptest.cH A D02-Feb-20248.1 KiB283204

ssl_cert_table_internal_test.cH A D02-Feb-20242.1 KiB6544

ssl_ctx_test.cH A D02-Feb-20242.3 KiB7756

ssl_old_test.cH A D02-Feb-202498.8 KiB3,0042,472

ssl_test.cH A D02-Feb-202419.9 KiB571473

ssl_test.tmplH A D02-Feb-20244.3 KiB127122

ssl_test_ctx_test.cH A D02-Feb-20249.1 KiB265215

ssl_test_ctx_test.cnfH A D02-Feb-20242 KiB9869

sslapitest.cH A D08-Sep-2024377 KiB11,4428,416

sslbuffertest.cH A D27-Jun-202410.6 KiB184117

sslcorrupttest.cH A D02-Feb-20247.3 KiB281198

stack_test.cH A D02-Feb-20249.4 KiB389304

sysdefault.cnfH A D02-Feb-2024440 2415

sysdefaulttest.cH A D02-Feb-20241.1 KiB5135

test.cnfH A D27-Jun-20242.3 KiB7563

test_asn1_parse.cnfH A D02-Feb-2024240 139

test_test.cH A D02-Feb-202418.2 KiB580504

testcrl.pemH A D02-Feb-2024938 1716

testdsa.pemH A D02-Feb-2024672 1312

testdsapub.pemH A D02-Feb-2024654 1312

testec-p112r1.pemH A D02-Feb-2024221 87

testec-p256.pemH A D02-Feb-2024227 65

testecpub-p256.pemH A D02-Feb-2024178 54

tested25519.pemH A D02-Feb-2024119 43

tested25519pub.pemH A D02-Feb-2024113 43

tested448.pemH A D02-Feb-2024156 54

tested448pub.pemH A D02-Feb-2024146 54

testp7.pemH A D02-Feb-20242.8 KiB4746

testreq2.pemH A D02-Feb-2024371 87

testrsa.pemH A D02-Feb-2024526 1110

testrsa2048.pemH A D02-Feb-20241.7 KiB3028

testrsa2048pub.pemH A D02-Feb-2024451 109

testrsa_withattrs.derH A D02-Feb-20241.2 KiB

testrsa_withattrs.pemH A D02-Feb-20241.7 KiB3029

testrsapss.pemH A D02-Feb-20241.7 KiB2928

testrsapssmandatory.pemH A D02-Feb-20241.7 KiB3029

testrsapub.pemH A D02-Feb-2024182 54

testsid.pemH A D02-Feb-20242.3 KiB3938

testutil.hH A D02-Feb-202426.5 KiB636312

testx509.pemH A D02-Feb-2024562 1110

threadstest.cH A D02-Feb-202419.8 KiB729546

threadstest.hH A D02-Feb-20241.4 KiB8352

threadstest_fips.cH A D02-Feb-20241.1 KiB5028

time_offset_test.cH A D02-Feb-20243.2 KiB11483

tls-provider.cH A D27-Jun-202426 KiB858627

tls13ccstest.cH A D02-Feb-202415.2 KiB513386

tls13encryptiontest.cH A D02-Feb-202413.8 KiB418324

tls13secretstest.cH A D02-Feb-202411.5 KiB409312

trace_api_test.cH A D02-Feb-20243.9 KiB164128

uitest.cH A D02-Feb-20242.2 KiB9563

upcallstest.cH A D02-Feb-20243.6 KiB12290

user_property_test.cH A D02-Feb-20243.8 KiB133101

v3-cert1.pemH A D02-Feb-2024944 1716

v3-cert2.pemH A D02-Feb-2024940 1716

v3_ca_exts.cnfH A D02-Feb-2024136 64

v3ext.cH A D27-Jun-202416.1 KiB479379

v3nametest.cH A D02-Feb-202419.8 KiB717509

verify_extra_test.cH A D02-Feb-20248.7 KiB342244

versions.cH A D02-Feb-2024674 2210

wpackettest.cH A D02-Feb-202417.8 KiB446324

x509_check_cert_pkey_test.cH A D02-Feb-20244.9 KiB180135

x509_dup_cert_test.cH A D02-Feb-20241.4 KiB5434

x509_internal_test.cH A D02-Feb-20243 KiB11179

x509_time_test.cH A D02-Feb-202417.7 KiB605455

x509aux.cH A D02-Feb-20245.2 KiB187149

README-dev.md

1Guidelines for test developers
2==============================
3
4How to add recipes
5------------------
6
7For any test that you want to perform, you write a script located in
8`test/recipes/`, named `{nn}-test_{name}.t`,
9where `{nn}` is a two digit number and
10`{name}` is a unique name of your choice.
11
12Please note that if a test involves a new testing executable, you will need to
13do some additions in test/build.info. Please refer to the section
14["Changes to test/build.info"](README.md#changes-to-testbuildinfo) below.
15
16Naming conventions
17------------------
18
19A test executable is named `test/{name}test.c`
20
21A test recipe is named `test/recipes/{nn}-test_{name}.t`, where `{nn}` is a two
22digit number and `{name}` is a unique name of your choice.
23
24The number `{nn}` is (somewhat loosely) grouped as follows:
25
26    00-04  sanity, internal and essential API tests
27    05-09  individual symmetric cipher algorithms
28    10-14  math (bignum)
29    15-19  individual asymmetric cipher algorithms
30    20-24  openssl commands (some otherwise not tested)
31    25-29  certificate forms, generation and verification
32    30-35  engine and evp
33    60-79  APIs:
34       60  X509 subsystem
35       61  BIO subsystem
36       65  CMP subsystem
37       70  PACKET layer
38    80-89  "larger" protocols (CA, CMS, OCSP, SSL, TSA)
39    90-98  misc
40    99     most time consuming tests [such as test_fuzz]
41
42A recipe that just runs a test executable
43-----------------------------------------
44
45A script that just runs a program looks like this:
46
47    #! /usr/bin/env perl
48
49    use OpenSSL::Test::Simple;
50
51    simple_test("test_{name}", "{name}test", "{name}");
52
53`{name}` is the unique name you have chosen for your test.
54
55The second argument to `simple_test` is the test executable, and `simple_test`
56expects it to be located in `test/`
57
58For documentation on `OpenSSL::Test::Simple`,
59do `perldoc util/perl/OpenSSL/Test/Simple.pm`.
60
61A recipe that runs a more complex test
62--------------------------------------
63
64For more complex tests, you will need to read up on Test::More and
65OpenSSL::Test.  Test::More is normally preinstalled, do `man Test::More` for
66documentation.  For OpenSSL::Test, do `perldoc util/perl/OpenSSL/Test.pm`.
67
68A script to start from could be this:
69
70    #! /usr/bin/env perl
71
72    use strict;
73    use warnings;
74    use OpenSSL::Test;
75
76    setup("test_{name}");
77
78    plan tests => 2;                # The number of tests being performed
79
80    ok(test1, "test1");
81    ok(test2, "test1");
82
83    sub test1
84    {
85        # test feature 1
86    }
87
88    sub test2
89    {
90        # test feature 2
91    }
92
93Changes to test/build.info
94--------------------------
95
96Whenever a new test involves a new test executable you need to do the
97following (at all times, replace {NAME} and {name} with the name of your
98test):
99
100 * add `{name}` to the list of programs under `PROGRAMS_NO_INST`
101
102 * create a three line description of how to build the test, you will have
103   to modify the include paths and source files if you don't want to use the
104   basic test framework:
105
106       SOURCE[{name}]={name}.c
107       INCLUDE[{name}]=.. ../include ../apps/include
108       DEPEND[{name}]=../libcrypto libtestutil.a
109
110Generic form of C test executables
111----------------------------------
112
113    #include "testutil.h"
114
115    static int my_test(void)
116    {
117        int testresult = 0;                 /* Assume the test will fail    */
118        int observed;
119
120        observed = function();              /* Call the code under test     */
121        if (!TEST_int_eq(observed, 2))      /* Check the result is correct  */
122            goto end;                       /* Exit on failure - optional   */
123
124        testresult = 1;                     /* Mark the test case a success */
125    end:
126        cleanup();                          /* Any cleanup you require      */
127        return testresult;
128    }
129
130    int setup_tests(void)
131    {
132        ADD_TEST(my_test);                  /* Add each test separately     */
133        return 1;                           /* Indicates success.  Return 0 */
134                                            /* to produce an error with a   */
135                                            /* usage message and -1 for     */
136                                            /* failure to set up with no    */
137                                            /* usage message.               */
138    }
139
140You should use the `TEST_xxx` macros provided by `testutil.h` to test all failure
141conditions.  These macros produce an error message in a standard format if the
142condition is not met (and nothing if the condition is met).  Additional
143information can be presented with the `TEST_info` macro that takes a `printf`
144format string and arguments.  `TEST_error` is useful for complicated conditions,
145it also takes a `printf` format string and argument.  In all cases the `TEST_xxx`
146macros are guaranteed to evaluate their arguments exactly once.  This means
147that expressions with side effects are allowed as parameters.  Thus,
148
149    if (!TEST_ptr(ptr = OPENSSL_malloc(..)))
150
151works fine and can be used in place of:
152
153    ptr = OPENSSL_malloc(..);
154    if (!TEST_ptr(ptr))
155
156The former produces a more meaningful message on failure than the latter.
157
158Note that the test infrastructure automatically sets up all required environment
159variables (such as `OPENSSL_MODULES`, `OPENSSL_CONF`, etc.) for the tests.
160Individual tests may choose to override the default settings as required.
161

README-external.md

1Running external test suites with OpenSSL
2=========================================
3
4It is possible to integrate external test suites into OpenSSL's `make test`.
5This capability is considered a developer option and does not work on all
6platforms.
7
8Python PYCA/Cryptography test suite
9===================================
10
11This python test suite runs cryptographic tests with a local OpenSSL build as
12the implementation.
13
14First checkout the `PYCA/Cryptography` module into `./pyca-cryptography` using:
15
16    $ git submodule update --init
17
18Then configure/build OpenSSL compatible with the python module:
19
20    $ ./config shared enable-external-tests
21    $ make
22
23The tests will run in a python virtual environment which requires virtualenv
24to be installed.
25
26    $ make test VERBOSE=1 TESTS=test_external_pyca
27
28Test failures and suppressions
29------------------------------
30
31Some tests target older (<=1.0.2) versions so will not run. Other tests target
32other crypto implementations so are not relevant. Currently no tests fail.
33
34krb5 test suite
35===============
36
37Much like the PYCA/Cryptography test suite, this builds and runs the krb5
38tests against the local OpenSSL build.
39
40You will need a git checkout of krb5 at the top level:
41
42    $ git clone https://github.com/krb5/krb5
43
44krb5's master has to pass this same CI, but a known-good version is
45krb5-1.15.1-final if you want to be sure.
46
47    $ cd krb5
48    $ git checkout krb5-1.15.1-final
49    $ cd ..
50
51OpenSSL must be built with external tests enabled:
52
53    $ ./config enable-external-tests
54    $ make
55
56krb5's tests will then be run as part of the rest of the suite, or can be
57explicitly run (with more debugging):
58
59    $ VERBOSE=1 make TESTS=test_external_krb5 test
60
61Test-failures suppressions
62--------------------------
63
64krb5 will automatically adapt its test suite to account for the configuration
65of your system.  Certain tests may require more installed packages to run.  No
66tests are expected to fail.
67
68GOST engine test suite
69===============
70
71Much like the PYCA/Cryptography test suite, this builds and runs the GOST engine
72tests against the local OpenSSL build.
73
74You will need a git checkout of gost-engine at the top level:
75
76    $ git submodule update --init
77
78Then configure/build OpenSSL enabling external tests:
79
80    $ ./config shared enable-external-tests
81    $ make
82
83GOST engine requires CMake for the build process.
84
85GOST engine tests will then be run as part of the rest of the suite, or can be
86explicitly run (with more debugging):
87
88    $ make test VERBOSE=1 TESTS=test_external_gost_engine
89
90Updating test suites
91====================
92
93To update the commit for any of the above test suites:
94
95- Make sure the submodules are cloned locally:
96
97    $ git submodule update --init --recursive
98
99- Enter subdirectory and pull from the repository (use a specific branch/tag if required):
100
101    $ cd `<submodule-dir>`
102    $ git pull origin master
103
104- Go to root directory, there should be a new git status:
105
106    $ cd ../
107    $ git status
108      ...
109      #       modified:   `<submodule-dir>` (new commits)
110      ...
111
112- Add/commit/push the update
113
114    $ git add `<submodule-dir>`
115    $ git commit -m `"Updated <submodule> to latest commit"`
116    $ git push
117

README.md

1Using OpenSSL Tests
2===================
3
4After a successful build, and before installing, the libraries should be tested.
5Run:
6
7    $ make test                                      # Unix
8    $ mms test                                       ! OpenVMS
9    $ nmake test                                     # Windows
10
11**Warning:** you MUST run the tests from an unprivileged account
12(or disable your privileges temporarily if your platform allows it).
13
14If some tests fail, take a look at the section Test Failures below.
15
16Test Failures
17-------------
18
19If some tests fail, look at the output.  There may be reasons for the failure
20that isn't a problem in OpenSSL itself (like an OS malfunction or a Perl issue).
21You may want increased verbosity, that can be accomplished like this:
22
23Full verbosity, showing full output of all successful and failed test cases
24(`make` macro `VERBOSE` or `V`):
25
26    $ make V=1 test                                  # Unix
27    $ mms /macro=(V=1) test                          ! OpenVMS
28    $ nmake V=1 test                                 # Windows
29
30Verbosity on failed (sub-)tests only
31(`VERBOSE_FAILURE` or `VF` or `REPORT_FAILURES`):
32
33    $ make test VF=1
34
35Verbosity on failed (sub-)tests, in addition progress on succeeded (sub-)tests
36(`VERBOSE_FAILURE_PROGRESS` or `VFP` or `REPORT_FAILURES_PROGRESS`):
37
38    $ make test VFP=1
39
40If you want to run just one or a few specific tests, you can use
41the make variable TESTS to specify them, like this:
42
43    $ make TESTS='test_rsa test_dsa' test            # Unix
44    $ mms/macro="TESTS=test_rsa test_dsa" test       ! OpenVMS
45    $ nmake TESTS="test_rsa test_dsa" test           # Windows
46
47And of course, you can combine (Unix examples shown):
48
49    $ make test TESTS='test_rsa test_dsa' VF=1
50    $ make test TESTS="test_cmp_*" VFP=1
51
52You can find the list of available tests like this:
53
54    $ make list-tests                                # Unix
55    $ mms list-tests                                 ! OpenVMS
56    $ nmake list-tests                               # Windows
57
58Have a look at the manual for the perl module Test::Harness to
59see what other HARNESS_* variables there are.
60
61To report a bug please open an issue on GitHub, at
62<https://github.com/openssl/openssl/issues>.
63
64For more details on how the `make` variables `TESTS` can be used,
65see section Running Selected Tests below.
66
67Running Selected Tests
68----------------------
69
70The `make` variable `TESTS` supports a versatile set of space separated tokens
71with which you can specify a set of tests to be performed.  With a "current
72set of tests" in mind, initially being empty, here are the possible tokens:
73
74     alltests      The current set of tests becomes the whole set of available
75                   tests (as listed when you do 'make list-tests' or similar).
76
77     xxx           Adds the test 'xxx' to the current set of tests.
78
79    -xxx           Removes 'xxx' from the current set of tests.  If this is the
80                   first token in the list, the current set of tests is first
81                   assigned the whole set of available tests, effectively making
82                   this token equivalent to TESTS="alltests -xxx".
83
84     nn            Adds the test group 'nn' (which is a number) to the current
85                   set of tests.
86
87    -nn            Removes the test group 'nn' from the current set of tests.
88                   If this is the first token in the list, the current set of
89                   tests is first assigned the whole set of available tests,
90                   effectively making this token equivalent to
91                   TESTS="alltests -xxx".
92
93Also, all tokens except for "alltests" may have wildcards, such as *.
94(on Unix and Windows, BSD style wildcards are supported, while on VMS,
95it's VMS style wildcards)
96
97### Examples
98
99Run all tests except for the fuzz tests:
100
101    $ make TESTS='-test_fuzz*' test
102
103or, if you want to be explicit:
104
105    $ make TESTS='alltests -test_fuzz*' test
106
107Run all tests that have a name starting with "test_ssl" but not those
108starting with "test_ssl_":
109
110    $ make TESTS='test_ssl* -test_ssl_*' test
111
112Run only test group 10:
113
114    $ make TESTS='10' test
115
116Run all tests except the slow group (group 99):
117
118    $ make TESTS='-99' test
119
120Run all tests in test groups 80 to 99 except for tests in group 90:
121
122    $ make TESTS='[89]? -90' test
123
124To run specific fuzz tests you can use for instance:
125
126    $ make test TESTS='test_fuzz_cmp test_fuzz_cms'
127
128To stochastically verify that the algorithm that produces uniformly distributed
129random numbers is operating correctly (with a false positive rate of 0.01%):
130
131    $ ./util/wrap.sh test/bntest -stochastic
132
133Running Tests in Parallel
134-------------------------
135
136By default the test harness will execute the selected tests sequentially.
137Depending on the platform characteristics, running more than one test job in
138parallel may speed up test execution.
139This can be requested by setting the `HARNESS_JOBS` environment variable to a
140positive integer value. This specifies the maximum number of test jobs to run in
141parallel.
142
143Depending on the Perl version different strategies could be adopted to select
144which test recipes can be run in parallel.  In recent versions of Perl, unless
145specified otherwise, any task can be run in parallel. Consult the documentation
146for `TAP::Harness` to know more.
147
148To run up to four tests in parallel at any given time:
149
150    $ make HARNESS_JOBS=4 test
151
152Randomisation of Test Ordering
153------------------------------
154
155By default, the test harness will execute tests in the order they were added.
156By setting the `OPENSSL_TEST_RAND_ORDER` environment variable to zero, the
157test ordering will be randomised.  If a randomly ordered test fails, the
158seed value used will be reported.  Setting the `OPENSSL_TEST_RAND_ORDER`
159environment variable to this value will rerun the tests in the same
160order.  This assures repeatability of randomly ordered test runs.
161This repeatability is independent of the operating system, processor or
162platform used.
163
164To randomise the test ordering:
165
166    $ make OPENSSL_TEST_RAND_ORDER=0 test
167
168To run the tests using the order defined by the random seed `42`:
169
170    $ make OPENSSL_TEST_RAND_ORDER=42 test
171

README.ssltest.md

1SSL tests
2=========
3
4SSL testcases are configured in the `ssl-tests` directory.
5
6Each `ssl_*.cnf.in` file contains a number of test configurations. These files
7are used to generate testcases in the OpenSSL CONF format.
8
9The precise test output can be dependent on the library configuration. The test
10harness generates the output files on the fly.
11
12However, for verification, we also include checked-in configuration outputs
13corresponding to the default configuration. These testcases live in
14`test/ssl-tests/*.cnf` files.
15
16For more details, see `ssl-tests/01-simple.cnf.in` for an example.
17
18Configuring the test
19--------------------
20
21First, give your test a name. The names do not have to be unique.
22
23An example test input looks like this:
24
25    {
26        name => "test-default",
27        server => { "CipherString" => "DEFAULT" },
28        client => { "CipherString" => "DEFAULT" },
29        test   => { "ExpectedResult" => "Success" },
30    }
31
32The test section supports the following options
33
34### Test mode
35
36* Method - the method to test. One of DTLS or TLS.
37
38* HandshakeMode - which handshake flavour to test:
39  - Simple - plain handshake (default)
40  - Resume - test resumption
41  - RenegotiateServer - test server initiated renegotiation
42  - RenegotiateClient - test client initiated renegotiation
43
44When HandshakeMode is Resume or Renegotiate, the original handshake is expected
45to succeed. All configured test expectations are verified against the second
46handshake.
47
48* ApplicationData - amount of application data bytes to send (integer, defaults
49  to 256 bytes). Applies to both client and server. Application data is sent in
50  64kB chunks (but limited by MaxFragmentSize and available parallelization, see
51  below).
52
53* MaxFragmentSize - maximum send fragment size (integer, defaults to 512 in
54  tests - see `SSL_CTX_set_max_send_fragment` for documentation). Applies to
55  both client and server. Lowering the fragment size will split handshake and
56  application data up between more `SSL_write` calls, thus allowing to exercise
57  different code paths. In particular, if the buffer size (64kB) is at least
58  four times as large as the maximum fragment, interleaved multi-buffer crypto
59  implementations may be used on some platforms.
60
61### Test expectations
62
63* ExpectedResult - expected handshake outcome. One of
64  - Success - handshake success
65  - ServerFail - serverside handshake failure
66  - ClientFail - clientside handshake failure
67  - InternalError - some other error
68
69* ExpectedClientAlert, ExpectedServerAlert - expected alert. See
70  `test/helpers/ssl_test_ctx.c` for known values. Note: the expected alert is currently
71  matched against the _last_ received alert (i.e., a fatal alert or a
72  `close_notify`). Warning alert expectations are not yet supported. (A warning
73  alert will not be correctly matched, if followed by a `close_notify` or
74  another alert.)
75
76* ExpectedProtocol - expected negotiated protocol. One of
77  SSLv3, TLSv1, TLSv1.1, TLSv1.2.
78
79* SessionTicketExpected - whether or not a session ticket is expected
80  - Ignore - do not check for a session ticket (default)
81  - Yes - a session ticket is expected
82  - No - a session ticket is not expected
83
84* SessionIdExpected - whether or not a session id is expected
85  - Ignore - do not check for a session id (default)
86  - Yes - a session id is expected
87  - No - a session id is not expected
88
89* ResumptionExpected - whether or not resumption is expected (Resume mode only)
90  - Yes - resumed handshake
91  - No - full handshake (default)
92
93* ExpectedNPNProtocol, ExpectedALPNProtocol - NPN and ALPN expectations.
94
95* ExpectedTmpKeyType - the expected algorithm or curve of server temp key
96
97* ExpectedServerCertType, ExpectedClientCertType - the expected algorithm or
98  curve of server or client certificate
99
100* ExpectedServerSignHash, ExpectedClientSignHash - the expected
101  signing hash used by server or client certificate
102
103* ExpectedServerSignType, ExpectedClientSignType - the expected
104  signature type used by server or client when signing messages
105
106* ExpectedClientCANames - for client auth list of CA names the server must
107  send. If this is "empty" the list is expected to be empty otherwise it
108  is a file of certificates whose subject names form the list.
109
110* ExpectedServerCANames - list of CA names the client must send, TLS 1.3 only.
111  If this is "empty" the list is expected to be empty otherwise it is a file
112  of certificates whose subject names form the list.
113
114Configuring the client and server
115---------------------------------
116
117The client and server configurations can be any valid `SSL_CTX`
118configurations. For details, see the manpages for `SSL_CONF_cmd`.
119
120Give your configurations as a dictionary of CONF commands, e.g.
121
122    server => {
123        "CipherString" => "DEFAULT",
124        "MinProtocol" => "TLSv1",
125    }
126
127The following sections may optionally be defined:
128
129* server2 - this section configures a secondary context that is selected via the
130  ServerName test option. This context is used whenever a ServerNameCallback is
131  specified. If the server2 section is not present, then the configuration
132  matches server.
133* resume_server - this section configures the client to resume its session
134  against a different server. This context is used whenever HandshakeMode is
135  Resume. If the resume_server section is not present, then the configuration
136  matches server.
137* resume_client - this section configures the client to resume its session with
138  a different configuration. In practice this may occur when, for example,
139  upgraded clients reuse sessions persisted on disk.  This context is used
140  whenever HandshakeMode is Resume. If the resume_client section is not present,
141  then the configuration matches client.
142
143### Configuring callbacks and additional options
144
145Additional handshake settings can be configured in the `extra` section of each
146client and server:
147
148    client => {
149        "CipherString" => "DEFAULT",
150        extra => {
151            "ServerName" => "server2",
152        }
153    }
154
155#### Supported client-side options
156
157* ClientVerifyCallback - the client's custom certificate verify callback.
158  Used to test callback behaviour. One of
159  - None - no custom callback (default)
160  - AcceptAll - accepts all certificates.
161  - RejectAll - rejects all certificates.
162
163* ServerName - the server the client should attempt to connect to. One of
164  - None - do not use SNI (default)
165  - server1 - the initial context
166  - server2 - the secondary context
167  - invalid - an unknown context
168
169* CTValidation - Certificate Transparency validation strategy. One of
170  - None - no validation (default)
171  - Permissive - SSL_CT_VALIDATION_PERMISSIVE
172  - Strict - SSL_CT_VALIDATION_STRICT
173
174#### Supported server-side options
175
176* ServerNameCallback - the SNI switching callback to use
177  - None - no callback (default)
178  - IgnoreMismatch - continue the handshake on SNI mismatch
179  - RejectMismatch - abort the handshake on SNI mismatch
180
181* BrokenSessionTicket - a special test case where the session ticket callback
182  does not initialize crypto.
183  - No (default)
184  - Yes
185
186#### Mutually supported options
187
188* NPNProtocols, ALPNProtocols - NPN and ALPN settings. Server and client
189  protocols can be specified as a comma-separated list, and a callback with the
190  recommended behaviour will be installed automatically.
191
192* SRPUser, SRPPassword - SRP settings. For client, this is the SRP user to
193  connect as; for server, this is a known SRP user.
194
195### Default server and client configurations
196
197The default server certificate and CA files are added to the configurations
198automatically. Server certificate verification is requested by default.
199
200You can override these options by redefining them:
201
202    client => {
203        "VerifyCAFile" => "/path/to/custom/file"
204    }
205
206or by deleting them
207
208    client => {
209        "VerifyCAFile" => undef
210    }
211
212Adding a test to the test harness
213---------------------------------
214
2151. Add a new test configuration to `test/ssl-tests`, following the examples of
216   existing `*.cnf.in` files (for example, `01-simple.cnf.in`).
217
2182. Generate the generated `*.cnf` test input file. You can do so by running
219   `generate_ssl_tests.pl`:
220
221    $ ./config
222    $ cd test
223    $ TOP=.. perl -I ../util/perl/ generate_ssl_tests.pl \
224      ssl-tests/my.cnf.in default > ssl-tests/my.cnf
225
226where `my.cnf.in` is your test input file and `default` is the provider to use.
227For all the pre-generated test files you should use the default provider.
228
229For example, to generate the test cases in `ssl-tests/01-simple.cnf.in`, do
230
231    $ TOP=.. perl -I ../util/perl/ generate_ssl_tests.pl \
232      ssl-tests/01-simple.cnf.in default > ssl-tests/01-simple.cnf
233
234Alternatively (hackish but simple), you can comment out
235
236    unlink glob $tmp_file;
237
238in `test/recipes/80-test_ssl_new.t` and run
239
240    $ make TESTS=test_ssl_new test
241
242This will save the generated output in a `*.tmp` file in the build directory.
243
2443. Update the number of tests planned in `test/recipes/80-test_ssl_new.t`. If
245   the test suite has any skip conditions, update those too (see
246   `test/recipes/80-test_ssl_new.t` for details).
247
248Running the tests with the test harness
249---------------------------------------
250
251    HARNESS_VERBOSE=yes make TESTS=test_ssl_new test
252
253Running a test manually
254-----------------------
255
256These steps are only needed during development. End users should run `make test`
257or follow the instructions above to run the SSL test suite.
258
259To run an SSL test manually from the command line, the `TEST_CERTS_DIR`
260environment variable to point to the location of the certs. E.g., from the root
261OpenSSL directory, do
262
263    $ CTLOG_FILE=test/ct/log_list.cnf TEST_CERTS_DIR=test/certs test/ssl_test \
264      test/ssl-tests/01-simple.cnf default
265
266or for shared builds
267
268    $ CTLOG_FILE=test/ct/log_list.cnf  TEST_CERTS_DIR=test/certs \
269      util/wrap.pl test/ssl_test test/ssl-tests/01-simple.cnf default
270
271In the above examples, `default` is the provider to use.
272
273Note that the test expectations sometimes depend on the Configure settings. For
274example, the negotiated protocol depends on the set of available (enabled)
275protocols: a build with `enable-ssl3` has different test expectations than a
276build with `no-ssl3`.
277
278The Perl test harness automatically generates expected outputs, so users who
279just run `make test` do not need any extra steps.
280
281However, when running a test manually, keep in mind that the repository version
282of the generated `test/ssl-tests/*.cnf` correspond to expected outputs in with
283the default Configure options. To run `ssl_test` manually from the command line
284in a build with a different configuration, you may need to generate the right
285`*.cnf` file from the `*.cnf.in` input first.
286