Changeset 105949 in vbox for trunk/src/libs/openssl-3.1.7/test

Timestamp:

Sep 4, 2024 12:53:14 PM (6 months ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

164683

Message:

openssl-3.1.7: Applied and adjusted our OpenSSL changes to 3.1.7. bugref:10757

Location:

trunk/src/libs/openssl-3.1.7/test

Files:

• bad_dtls_test.c (modified) (3 diffs)
• build.info (modified) (3 diffs)
• cmp_hdr_test.c (modified) (7 diffs)
• crltest.c (modified) (4 diffs)
• ct_test.c (modified) (2 diffs)
• dsatest.c (modified) (3 diffs)
• ecdsatest.c (modified) (2 diffs)
• ecstresstest.c (modified) (2 diffs)
• endecode_test.c (modified) (6 diffs)
• evp_extra_test.c (modified) (9 diffs)
• evp_kdf_test.c (modified) (2 diffs)
• evp_pkey_provided_test.c (modified) (14 diffs)
• evp_test.c (modified) (5 diffs)
• helpers/handshake.c (modified) (2 diffs)
• helpers/ssltestlib.c (modified) (3 diffs)
• helpers/ssltestlib.h (modified) (2 diffs)
• hexstr_test.c (modified) (2 diffs)
• keymgmt_internal_test.c (modified) (3 diffs)
• pkey_meth_kdf_test.c (modified) (6 diffs)
• prov_config_test.c (modified) (7 diffs)
• provider_fallback_test.c (modified) (2 diffs)
• provider_internal_test.c (modified) (2 diffs)
• provider_status_test.c (modified) (4 diffs)
• provider_test.c (modified) (2 diffs)
• recipes/03-test_fipsinstall.t (modified) (2 diffs)
• recipes/04-test_conf.t (modified) (2 diffs)
• recipes/25-test_eai_data.t (modified) (4 diffs)
• recipes/25-test_req.t (modified) (2 diffs)
• recipes/30-test_evp_data/evppkey_dsa.txt (modified) (5 diffs)
• recipes/30-test_evp_data/evppkey_ecdsa.txt (modified) (2 diffs)
• recipes/30-test_evp_data/evppkey_rsa_common.txt (modified) (2 diffs)
• recipes/30-test_prov_config.t (modified) (3 diffs)
• recipes/80-test_pkcs12.t (modified) (2 diffs)
• recipes/90-test_shlibload.t (modified) (2 diffs)
• recipes/90-test_sslapi.t (modified) (11 diffs)
• sm2_internal_test.c (modified) (4 diffs)
• ssl-tests/08-npn.cnf (modified) (14 diffs)
• ssl-tests/08-npn.cnf.in (modified) (2 diffs)
• ssl-tests/09-alpn.cnf (modified) (3 diffs)
• ssl-tests/09-alpn.cnf.in (modified) (2 diffs)
• ssl-tests/14-curves.cnf.in (modified) (1 diff)
• ssl-tests/20-cert-select.cnf (modified) (13 diffs)
• ssl-tests/20-cert-select.cnf.in (modified) (2 diffs)
• ssl-tests/28-seclevel.cnf.in (modified) (3 diffs)
• sslapitest.c (modified) (26 diffs)
• sslbuffertest.c (modified) (4 diffs)
• test.cnf (modified) (1 diff)
• tls-provider.c (modified) (5 diffs)
• v3ext.c (modified) (5 diffs)

trunk/src/libs/openssl-3.1.7/test/bad_dtls_test.c

@@ -1 +1 @@
 /*
- * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -505 +505 @@
             || !TEST_true(SSL_set_session(con, sess)))
         goto end;
+    SSL_SESSION_free(sess);
 
     rbio = BIO_new(BIO_s_mem());
@@ -592 +593 @@
 
  end:
-    SSL_SESSION_free(sess);
     BIO_free(rbio);
     BIO_free(wbio);

trunk/src/libs/openssl-3.1.7/test/build.info

@@ -41 +41 @@
           evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
           evp_fetch_prov_test evp_libctx_test ossl_store_test \
-          v3nametest v3ext punycode_test evp_byname_test \
+          v3nametest v3ext punycode_test \
           crltest danetest bad_dtls_test lhash_test sparse_array_test \
           conf_include_test params_api_test params_conversion_test \
@@ -306 +306 @@
   DEPEND[punycode_test]=../libcrypto.a libtestutil.a
 
-  SOURCE[evp_byname_test]=evp_byname_test.c
-  INCLUDE[evp_byname_test]=../include ../apps/include
-  DEPEND[evp_byname_test]=../libcrypto libtestutil.a
-
   SOURCE[stack_test]=stack_test.c
   INCLUDE[stack_test]=../include ../apps/include
@@ -879 +875 @@
   IF[{- $disabled{module} || !$target{dso_scheme} -}]
     DEFINE[provider_test]=NO_PROVIDER_MODULE
-    DEFINE[prov_config_test]=NO_PROVIDER_MODULE
     DEFINE[provider_internal_test]=NO_PROVIDER_MODULE
   ENDIF

trunk/src/libs/openssl-3.1.7/test/cmp_hdr_test.c

@@ -1 +1 @@
 /*
- * Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright Nokia 2007-2019
  * Copyright Siemens AG 2015-2019
@@ -72 +72 @@
 static int execute_HDR_get0_senderNonce_test(CMP_HDR_TEST_FIXTURE *fixture)
 {
-    int res = 0;
     X509_NAME *sender = X509_NAME_new();
     ASN1_OCTET_STRING *sn;
 
     if (!TEST_ptr(sender))
-        goto err;
+        return 0;
 
     X509_NAME_ADD(sender, "CN", "A common sender name");
     if (!TEST_int_eq(OSSL_CMP_CTX_set1_subjectName(fixture->cmp_ctx, sender),
                      1))
-        goto err;
+        return 0;
     if (!TEST_int_eq(ossl_cmp_hdr_init(fixture->cmp_ctx, fixture->hdr),
                      1))
-        goto err;
+        return 0;
     sn = ossl_cmp_hdr_get0_senderNonce(fixture->hdr);
     if (!TEST_int_eq(ASN1_OCTET_STRING_cmp(fixture->cmp_ctx->senderNonce, sn),
                      0))
-        goto err;
-
-    res = 1;
-err:
+        return 0;
     X509_NAME_free(sender);
-
-    return res;
+    return 1;
 }
 
@@ -108 +103 @@
 static int execute_HDR_set1_sender_test(CMP_HDR_TEST_FIXTURE *fixture)
 {
-    int res = 0;
     X509_NAME *x509name = X509_NAME_new();
 
     if (!TEST_ptr(x509name))
-        goto err;
+        return 0;
 
     X509_NAME_ADD(x509name, "CN", "A common sender name");
     if (!TEST_int_eq(ossl_cmp_hdr_set1_sender(fixture->hdr, x509name), 1))
-        goto err;
-
+        return 0;
     if (!TEST_int_eq(fixture->hdr->sender->type, GEN_DIRNAME))
-        goto err;
+        return 0;
 
     if (!TEST_int_eq(X509_NAME_cmp(fixture->hdr->sender->d.directoryName,
                                    x509name), 0))
-        goto err;
-
-    res = 1;
-err:
+        return 0;
+
     X509_NAME_free(x509name);
-
-    return res;
+    return 1;
 }
 
@@ -142 +132 @@
 static int execute_HDR_set1_recipient_test(CMP_HDR_TEST_FIXTURE *fixture)
 {
-    int res = 0;
     X509_NAME *x509name = X509_NAME_new();
 
     if (!TEST_ptr(x509name))
-        goto err;
+        return 0;
 
     X509_NAME_ADD(x509name, "CN", "A common recipient name");
     if (!TEST_int_eq(ossl_cmp_hdr_set1_recipient(fixture->hdr, x509name), 1))
-        goto err;
+        return 0;
 
     if (!TEST_int_eq(fixture->hdr->recipient->type, GEN_DIRNAME))
-        goto err;
+        return 0;
 
     if (!TEST_int_eq(X509_NAME_cmp(fixture->hdr->recipient->d.directoryName,
                                    x509name), 0))
-        goto err;
-
-    res = 1;
-err:
+        return 0;
+
     X509_NAME_free(x509name);
-
-    return res;
+    return 1;
 }
 
@@ -218 +204 @@
 
     if (!TEST_ptr(senderKID))
-        goto err;
+        return 0;
 
     if (!TEST_int_eq(ASN1_OCTET_STRING_set(senderKID, rand_data,
@@ -280 +266 @@
 
     if (!TEST_ptr(text))
-        goto err;
+        return 0;
 
     if (!ASN1_STRING_set(text, "A free text", -1))
@@ -295 +281 @@
  err:
     ASN1_UTF8STRING_free(text);
-
     return res;
 }

trunk/src/libs/openssl-3.1.7/test/crltest.c

@@ -1 +1 @@
 /*
- * Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -102 +102 @@
 };
 
-static const char *kInvalidCRL[] = {
-    "-----BEGIN X509 CRL-----\n",
-    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n",
-    "-----END X509 CRL-----\n",
-    NULL
-};
-
 static const char *kBadIssuerCRL[] = {
     "-----BEGIN X509 CRL-----\n",
@@ -379 +372 @@
 }
 
-static int test_reuse_crl(int idx)
-{
-    X509_CRL *result, *reused_crl = CRL_from_strings(kBasicCRL);
-    X509_CRL *addref_crl = NULL;
-    char *p = NULL;
-    BIO *b = NULL;
-    int r = 0;
-
-    if (!TEST_ptr(reused_crl))
-        goto err;
-
-    if (idx & 1) {
-        if (!TEST_true(X509_CRL_up_ref(reused_crl)))
-            goto err;
-        addref_crl = reused_crl;
+static int test_reuse_crl(void)
+{
+    X509_CRL *reused_crl = CRL_from_strings(kBasicCRL);
+    char *p;
+    BIO *b = glue2bio(kRevokedCRL, &p);
+
+    if (b == NULL) {
+        OPENSSL_free(p);
+        X509_CRL_free(reused_crl);
+        return 0;
     }
 
-    idx >>= 1;
-    b = glue2bio(idx == 2 ? kRevokedCRL : kInvalidCRL + idx, &p);
-
-    if (!TEST_ptr(b))
-        goto err;
-
-    result = PEM_read_bio_X509_CRL(b, &reused_crl, NULL, NULL);
-
-    switch (idx) {
-    case 0: /* valid PEM + invalid DER */
-        if (!TEST_ptr_null(result)
-                || !TEST_ptr_null(reused_crl))
-            goto err;
-        break;
-    case 1: /* invalid PEM */
-        if (!TEST_ptr_null(result)
-                || !TEST_ptr(reused_crl))
-            goto err;
-        break;
-    case 2:
-        if (!TEST_ptr(result)
-                || !TEST_ptr(reused_crl)
-                || !TEST_ptr_eq(result, reused_crl))
-            goto err;
-        break;
-    }
-
-    r = 1;
-
- err:
+    reused_crl = PEM_read_bio_X509_CRL(b, &reused_crl, NULL, NULL);
+
     OPENSSL_free(p);
     BIO_free(b);
     X509_CRL_free(reused_crl);
-    X509_CRL_free(addref_crl);
-    return r;
+    return 1;
 }
 
@@ -444 +403 @@
     ADD_TEST(test_known_critical_crl);
     ADD_ALL_TESTS(test_unknown_critical_crl, OSSL_NELEM(unknown_critical_crls));
-    ADD_ALL_TESTS(test_reuse_crl, 6);
+    ADD_TEST(test_reuse_crl);
     return 1;
 }

trunk/src/libs/openssl-3.1.7/test/ct_test.c

@@ -1 +1 @@
 /*
- * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -451 +451 @@
     fixture->sct_list = sk_SCT_new_null();
     if (fixture->sct_list == NULL)
-    {
-        tear_down(fixture);
-        return 0;
-    }
+            return 0;
 
     if (!TEST_ptr(sct = SCT_new_from_base64(SCT_VERSION_V1, log_id,
                                             CT_LOG_ENTRY_TYPE_X509, timestamp,
                                             extensions, signature)))
-    {
-        tear_down(fixture);
+
         return 0;
-    }
 
     sk_SCT_push(fixture->sct_list, sct);

trunk/src/libs/openssl-3.1.7/test/dsatest.c

@@ -1 +1 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -333 +333 @@
     BIGNUM *badq = NULL, *badpriv = NULL;
     const unsigned char msg[] = { 0x00 };
-    unsigned int signature_len0;
     unsigned int signature_len;
     unsigned char signature[64];
@@ -377 +376 @@
 
     /* Test passing signature as NULL */
-    if (!TEST_true(DSA_sign(0, msg, sizeof(msg), NULL, &signature_len0, dsa))
-        || !TEST_int_gt(signature_len0, 0))
-        goto err;
-
-    if (!TEST_true(DSA_sign(0, msg, sizeof(msg), signature, &signature_len, dsa))
-        || !TEST_int_gt(signature_len, 0)
-        || !TEST_int_le(signature_len, signature_len0))
+    if (!TEST_true(DSA_sign(0, msg, sizeof(msg), NULL, &signature_len, dsa)))
+        goto err;
+
+    if (!TEST_true(DSA_sign(0, msg, sizeof(msg), signature, &signature_len, dsa)))
         goto err;
 

trunk/src/libs/openssl-3.1.7/test/ecdsatest.c

@@ -1 +1 @@
 /*
- * Copyright 2002-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  *
@@ -351 +351 @@
 {
     int ret;
-    unsigned int siglen0;
     unsigned int siglen;
     unsigned char dgst[128] = { 0 };
     EC_KEY *eckey = NULL;
-    unsigned char *sig = NULL;
-    BIGNUM *kinv = NULL, *rp = NULL;
 
     ret = TEST_ptr(eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1))
           && TEST_int_eq(EC_KEY_generate_key(eckey), 1)
-          && TEST_int_eq(ECDSA_sign(0, dgst, sizeof(dgst), NULL, &siglen0,
-                                    eckey), 1)
-          && TEST_int_gt(siglen0, 0)
-          && TEST_ptr(sig = OPENSSL_malloc(siglen0))
-          && TEST_int_eq(ECDSA_sign(0, dgst, sizeof(dgst), sig, &siglen,
-                                    eckey), 1)
-          && TEST_int_gt(siglen, 0)
-          && TEST_int_le(siglen, siglen0)
-          && TEST_int_eq(ECDSA_verify(0, dgst, sizeof(dgst), sig, siglen,
-                                      eckey), 1)
-          && TEST_int_eq(ECDSA_sign_setup(eckey, NULL, &kinv, &rp), 1)
-          && TEST_int_eq(ECDSA_sign_ex(0, dgst, sizeof(dgst), NULL, &siglen,
-                                       kinv, rp, eckey), 1)
-          && TEST_int_gt(siglen, 0)
-          && TEST_int_le(siglen, siglen0)
-          && TEST_int_eq(ECDSA_sign_ex(0, dgst, sizeof(dgst), sig, &siglen0,
-                                       kinv, rp, eckey), 1)
-          && TEST_int_eq(siglen, siglen0)
-          && TEST_int_eq(ECDSA_verify(0, dgst, sizeof(dgst), sig, siglen,
-                                      eckey), 1);
+          && TEST_int_eq(ECDSA_sign(0, dgst, sizeof(dgst), NULL, &siglen, eckey), 1)
+          && TEST_int_gt(siglen, 0);
     EC_KEY_free(eckey);
-    OPENSSL_free(sig);
-    BN_free(kinv);
-    BN_free(rp);
     return ret;
 }

trunk/src/libs/openssl-3.1.7/test/ecstresstest.c

@@ -1 +1 @@
 /*
- * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License");
@@ -80 +80 @@
                                               group))
             || !TEST_ptr(result = walk_curve(group, point, num_repeats)))
-        goto err;
+        return 0;
 
     if (print_mode) {

trunk/src/libs/openssl-3.1.7/test/endecode_test.c

@@ -1 +1 @@
 /*
- * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -1033 +1033 @@
 IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitTri2G, "EC")
 # endif
-# ifndef OPENSSL_NO_SM2
-KEYS(SM2);
-IMPLEMENT_TEST_SUITE(SM2, "SM2", 0)
-# endif
 KEYS(ED25519);
 IMPLEMENT_TEST_SUITE(ED25519, "ED25519", 1)
@@ -1342 +1338 @@
 
     /* FIPS(3.0.0): provider imports explicit params but they won't work #17998 */
-    is_fips_3_0_0 = is_fips && fips_provider_version_eq(testctx, 3, 0, 0);
+    is_fips_3_0_0 = fips_provider_version_eq(testctx, 3, 0, 0);
+    if (is_fips_3_0_0 < 0)
+        return 0;
 
 #ifdef STATIC_LEGACY
@@ -1400 +1398 @@
     MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit);
 # endif
-# ifndef OPENSSL_NO_SM2
-    MAKE_KEYS(SM2, "SM2", NULL);
-# endif
     MAKE_KEYS(ED25519, "ED25519", NULL);
     MAKE_KEYS(ED448, "ED448", NULL);
@@ -1449 +1444 @@
         ADD_TEST_SUITE_LEGACY(ECExplicitTri2G);
 # endif
-# ifndef OPENSSL_NO_SM2
-        if (!is_fips_3_0_0) {
-            /* 3.0.0 FIPS provider imports explicit EC params and then fails. */
-            ADD_TEST_SUITE(SM2);
-        }
-# endif
         ADD_TEST_SUITE(ED25519);
         ADD_TEST_SUITE(ED448);
@@ -1512 +1501 @@
     FREE_DOMAIN_KEYS(ECExplicitTri2G);
 # endif
-# ifndef OPENSSL_NO_SM2
-    FREE_KEYS(SM2);
-# endif
     FREE_KEYS(ED25519);
     FREE_KEYS(ED448);

trunk/src/libs/openssl-3.1.7/test/evp_extra_test.c

@@ -1101 +1101 @@
     eckey = NULL;
 
-    for (;;) {
+    while (dup_pk == NULL) {
         ret = 0;
         ctx = EVP_MD_CTX_new();
@@ -1117 +1117 @@
         ctx = NULL;
 
-        if (dup_pk != NULL)
-            break;
-
         if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pkey)))
             goto err;
@@ -1129 +1126 @@
             goto err;
     }
-    ret = 1;
 
  err:
@@ -2559 +2555 @@
         0x68, 0x81, 0xa5, 0x3e, 0x5b, 0x9c, 0x7b, 0x6f, 0x2e, 0xec, 0xc8, 0x47,
         0x7c, 0xfa, 0x47, 0x35, 0x66, 0x82, 0x15, 0x30
-    };
-    size_t expectedlen = sizeof(expected);
-
-    if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "HKDF", testpropq)))
-        goto done;
-
-    outlen = sizeof(out);
-    memset(out, 0, outlen);
-
-    if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0)
-            || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0)
-            || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt,
-                                                        sizeof(salt) - 1), 0)
-            || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key,
-                                                       sizeof(key) - 1), 0)
-            || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info,
-                                                        sizeof(info) - 1), 0)
-            || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0)
-            || !TEST_mem_eq(out, outlen, expected, expectedlen))
-        goto done;
-
-    ret = 1;
-
- done:
-    EVP_PKEY_CTX_free(pctx);
-
-    return ret;
-}
-
-static int test_empty_salt_info_HKDF(void)
-{
-    EVP_PKEY_CTX *pctx;
-    unsigned char out[20];
-    size_t outlen;
-    int ret = 0;
-    unsigned char salt[] = "";
-    unsigned char key[] = "012345678901234567890123456789";
-    unsigned char info[] = "";
-    const unsigned char expected[] = {
-        0x67, 0x12, 0xf9, 0x27, 0x8a, 0x8a, 0x3a, 0x8f, 0x7d, 0x2c, 0xa3, 0x6a,
-        0xaa, 0xe9, 0xb3, 0xb9, 0x52, 0x5f, 0xe0, 0x06,
     };
     size_t expectedlen = sizeof(expected);
@@ -4721 +4676 @@
 static int test_custom_md_meth(void)
 {
-    ASN1_OBJECT *o = NULL;
     EVP_MD_CTX *mdctx = NULL;
     EVP_MD *tmp = NULL;
@@ -4767 +4721 @@
         goto err;
 
-    if (!TEST_int_eq(OBJ_create("1.3.6.1.4.1.16604.998866.1",
-                                "custom-md", "custom-md"), NID_undef)
-            || !TEST_int_eq(ERR_GET_LIB(ERR_peek_error()), ERR_LIB_OBJ)
-            || !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), OBJ_R_OID_EXISTS))
-        goto err;
-
-    o = ASN1_OBJECT_create(nid, (unsigned char *)
-                                "\53\6\1\4\1\201\201\134\274\373\122\1", 12,
-                                "custom-md", "custom-md");
-    if (!TEST_int_eq(OBJ_add_object(o), nid))
-        goto err;
-
     testresult = 1;
  err:
-    ASN1_OBJECT_free(o);
     EVP_MD_CTX_free(mdctx);
     EVP_MD_meth_free(tmp);
@@ -5366 +5307 @@
 #endif
 
-static int test_invalid_ctx_for_digest(void)
-{
-    int ret;
-    EVP_MD_CTX *mdctx;
-
-    mdctx = EVP_MD_CTX_new();
-    if (!TEST_ptr(mdctx))
-        return 0;
-
-    if (!TEST_int_eq(EVP_DigestUpdate(mdctx, "test", sizeof("test") - 1), 0))
-        ret = 0;
-    else
-        ret = 1;
-
-    EVP_MD_CTX_free(mdctx);
-
-    return ret;
-}
-
 int setup_tests(void)
 {
@@ -5462 +5384 @@
     ADD_TEST(test_HKDF);
     ADD_TEST(test_emptyikm_HKDF);
-    ADD_TEST(test_empty_salt_info_HKDF);
 #ifndef OPENSSL_NO_EC
     ADD_TEST(test_X509_PUBKEY_inplace);
@@ -5550 +5471 @@
 #endif
 
-    ADD_TEST(test_invalid_ctx_for_digest);
-
     return 1;
 }

trunk/src/libs/openssl-3.1.7/test/evp_kdf_test.c

@@ -1859 +1859 @@
 }
 
-/* Test that changing the KBKDF algorithm from KMAC to HMAC works correctly */
-static int test_kbkdf_mac_change(void)
-{
-    int ret = 0;
-    EVP_KDF_CTX *kctx = NULL;
-    OSSL_PARAM params[9], *p = params;
-    /* Test data taken from the evptest corpus */
-    int l = 0, sep = 0, r = 8;
-    static /* const */ unsigned char key[] = {
-        0x3e, 0xdc, 0x6b, 0x5b, 0x8f, 0x7a, 0xad, 0xbd,
-        0x71, 0x37, 0x32, 0xb4, 0x82, 0xb8, 0xf9, 0x79,
-        0x28, 0x6e, 0x1e, 0xa3, 0xb8, 0xf8, 0xf9, 0x9c,
-        0x30, 0xc8, 0x84, 0xcf, 0xe3, 0x34, 0x9b, 0x83
-    };
-    static /* const */ unsigned char info[] = {
-        0x98, 0xe9, 0x98, 0x8b, 0xb4, 0xcc, 0x8b, 0x34,
-        0xd7, 0x92, 0x2e, 0x1c, 0x68, 0xad, 0x69, 0x2b,
-        0xa2, 0xa1, 0xd9, 0xae, 0x15, 0x14, 0x95, 0x71,
-        0x67, 0x5f, 0x17, 0xa7, 0x7a, 0xd4, 0x9e, 0x80,
-        0xc8, 0xd2, 0xa8, 0x5e, 0x83, 0x1a, 0x26, 0x44,
-        0x5b, 0x1f, 0x0f, 0xf4, 0x4d, 0x70, 0x84, 0xa1,
-        0x72, 0x06, 0xb4, 0x89, 0x6c, 0x81, 0x12, 0xda,
-        0xad, 0x18, 0x60, 0x5a
-    };
-    static const unsigned char output[] = {
-        0x6c, 0x03, 0x76, 0x52, 0x99, 0x06, 0x74, 0xa0,
-        0x78, 0x44, 0x73, 0x2d, 0x0a, 0xd9, 0x85, 0xf9
-    };
-    unsigned char out[sizeof(output)];
-
-    params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
-                                                 OSSL_MAC_NAME_KMAC128, 0);
-    params[1] = OSSL_PARAM_construct_end();
-    if (!TEST_ptr(kctx = get_kdfbyname(OSSL_KDF_NAME_KBKDF))
-            || !TEST_true(EVP_KDF_CTX_set_params(kctx, params)))
-        goto err;
-
-    *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MODE, "COUNTER", 0);
-    *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC, "HMAC", 0);
-    *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, "SHA256", 0);
-    *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_L, &l);
-    *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR, &sep);
-    *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_KBKDF_R, &r);
-    *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
-                                             key, sizeof(key));
-    *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
-                                             info, sizeof(info));
-    *p = OSSL_PARAM_construct_end();
-    if (!TEST_true(EVP_KDF_derive(kctx, out, sizeof(out), params))
-            || !TEST_mem_eq(out, sizeof(out), output, sizeof(output)))
-        goto err;
-
-    ret = 1;
-err:
-    EVP_KDF_CTX_free(kctx);
-    return ret;
-}
-
 int setup_tests(void)
 {
@@ -1978 +1920 @@
 #endif
     ADD_TEST(test_kdf_krb5kdf);
-    ADD_TEST(test_kbkdf_mac_change);
     return 1;
 }

trunk/src/libs/openssl-3.1.7/test/evp_pkey_provided_test.c

@@ -390 +390 @@
         goto err;
 
-    for (;;) {
+    while (dup_pk == NULL) {
         ret = 0;
         if (!TEST_int_eq(EVP_PKEY_get_bits(pk), 32)
@@ -418 +418 @@
               && test_print_key_using_encoder("RSA", pk);
 
-        if (!ret || dup_pk != NULL)
-            break;
-
-        if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk)))
+        if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk)))
             goto err;
         ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1);
@@ -606 +603 @@
         goto err;
 
-    for (;;) {
+    while (dup_pk == NULL) {
         ret = 0;
         if (!TEST_int_eq(EVP_PKEY_get_bits(pk), 2048)
@@ -686 +683 @@
               && test_print_key_using_encoder("DH", pk);
 
-        if (!ret || dup_pk != NULL)
-            break;
-
-        if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk)))
+        if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk)))
             goto err;
         ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1);
@@ -790 +784 @@
         goto err;
 
-    for (;;) {
+    while (dup_pk == NULL) {
         ret = 0;
         if (!TEST_int_eq(EVP_PKEY_get_bits(pk), 2048)
@@ -864 +858 @@
               && test_print_key_using_encoder("DH", pk);
 
-        if (!ret || dup_pk != NULL)
-            break;
-
-        if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk)))
+        if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk)))
             goto err;
         ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1);
@@ -1100 +1091 @@
         goto err;
 
-    for (;;) {
+    while (dup_pk == NULL) {
         ret = 0;
         if (!TEST_int_eq(EVP_PKEY_get_bits(pk), bits)
@@ -1155 +1146 @@
                   && test_print_key_using_encoder(alg, pk);
 
-        if (!ret || dup_pk != NULL)
-            break;
-
-        if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk)))
+        if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk)))
             goto err;
         ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1);
@@ -1275 +1263 @@
         goto err;
 
-    for (;;) {
+    while (dup_pk == NULL) {
         ret = 0;
         if (!TEST_int_eq(EVP_PKEY_get_bits(pk), 256)
@@ -1313 +1301 @@
             || !TEST_BN_eq(group_b, b))
             goto err;
-
-        EC_GROUP_free(group);
-        group = NULL;
-        BN_free(group_p);
-        group_p = NULL;
-        BN_free(group_a);
-        group_a = NULL;
-        BN_free(group_b);
-        group_b = NULL;
 
         if (!EVP_PKEY_get_utf8_string_param(pk, OSSL_PKEY_PARAM_GROUP_NAME,
@@ -1351 +1330 @@
               && test_print_key_using_encoder(alg, pk);
 
-        if (!ret || dup_pk != NULL)
-            break;
-
-        if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk)))
+        if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk)))
             goto err;
         ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1);
@@ -1600 +1576 @@
         goto err;
 
-    for (;;) {
+    while (dup_pk == NULL) {
         ret = 0;
         if (!TEST_int_eq(EVP_PKEY_get_bits(pk), 2048)
@@ -1649 +1625 @@
             || !TEST_int_eq(pcounter, pcounter_out))
             goto err;
-        BN_free(p_out);
-        p_out = NULL;
-        BN_free(q_out);
-        q_out = NULL;
-        BN_free(g_out);
-        g_out = NULL;
+        BN_free(p);
+        p = NULL;
+        BN_free(q);
+        q = NULL;
+        BN_free(g);
+        g = NULL;
         BN_free(j_out);
         j_out = NULL;
@@ -1682 +1658 @@
               && test_print_key_using_encoder("DSA", pk);
 
-        if (!ret || dup_pk != NULL)
-            break;
-
-        if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk)))
+        if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk)))
             goto err;
         ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1);

trunk/src/libs/openssl-3.1.7/test/evp_test.c

@@ -2791 +2791 @@
         return 0;
     p = strchr(name, ':');
-    if (p == NULL)
-        p = "";
-    else
+    if (p != NULL)
         *p++ = '\0';
 
@@ -2804 +2802 @@
 
     rv = OSSL_PARAM_allocate_from_text(kdata->p, defs, name, p,
-                                       strlen(p), NULL);
+                                       p != NULL ? strlen(p) : 0, NULL);
     *++kdata->p = OSSL_PARAM_construct_end();
     if (!rv) {
@@ -2811 +2809 @@
         return 0;
     }
-    if (strcmp(name, "digest") == 0) {
+    if (p != NULL && strcmp(name, "digest") == 0) {
         if (is_digest_disabled(p)) {
             TEST_info("skipping, '%s' is disabled", p);
@@ -2818 +2816 @@
         goto end;
     }
-
-    if ((strcmp(name, "cipher") == 0
-        || strcmp(name, "cekalg") == 0)
+    if (p != NULL
+        && (strcmp(name, "cipher") == 0
+            || strcmp(name, "cekalg") == 0)
         && is_cipher_disabled(p)) {
         TEST_info("skipping, '%s' is disabled", p);
@@ -2826 +2824 @@
         goto end;
     }
-    if ((strcmp(name, "mac") == 0)
+    if (p != NULL
+        && (strcmp(name, "mac") == 0)
         && is_mac_disabled(p)) {
         TEST_info("skipping, '%s' is disabled", p);

trunk/src/libs/openssl-3.1.7/test/helpers/handshake.c

@@ -1 +1 @@
 /*
- * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -348 +348 @@
 
     len = strlen(protos);
-
-    if (len == 0) {
-        *out = NULL;
-        *outlen = 0;
-        return 1;
-    }
 
     /* Should never have reuse. */

trunk/src/libs/openssl-3.1.7/test/helpers/ssltestlib.c

@@ -1 +1 @@
 /*
- * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -8 +8 @@
  */
 
-/*
- * We need access to the deprecated low level ENGINE APIs for legacy purposes
- * when the deprecated calls are not hidden
- */
-#ifndef OPENSSL_NO_DEPRECATED_3_0
-# define OPENSSL_SUPPRESS_DEPRECATED
-#endif
-
 #include <string.h>
 
-#include <openssl/engine.h>
 #include "internal/nelem.h"
 #include "ssltestlib.h"
@@ -1192 +1183 @@
     SSL_free(clientssl);
 }
-
-ENGINE *load_dasync(void)
-{
-#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
-    ENGINE *e;
-
-    if (!TEST_ptr(e = ENGINE_by_id("dasync")))
-        return NULL;
-
-    if (!TEST_true(ENGINE_init(e))) {
-        ENGINE_free(e);
-        return NULL;
-    }
-
-    if (!TEST_true(ENGINE_register_ciphers(e))) {
-        ENGINE_free(e);
-        return NULL;
-    }
-
-    return e;
-#else
-    return NULL;
-#endif
-}

trunk/src/libs/openssl-3.1.7/test/helpers/ssltestlib.h

@@ -1 +1 @@
 /*
- * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -60 +60 @@
 DEFINE_STACK_OF(MEMPACKET)
 
-ENGINE *load_dasync(void);
 #endif /* OSSL_TEST_SSLTESTLIB_H */

trunk/src/libs/openssl-3.1.7/test/hexstr_test.c

@@ -1 +1 @@
 /*
- * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License");
@@ -121 +121 @@
     return TEST_true(OPENSSL_hexstr2buf_ex(buf, sizeof(buf), &len, test->in, ':'))
            && TEST_mem_eq(buf, len, test->expected, test->expected_len)
-           && TEST_false(OPENSSL_buf2hexstr_ex(out, 3 * len - 1, NULL, buf, len,
-                                               ':'))
            && TEST_true(OPENSSL_buf2hexstr_ex(out, sizeof(out), NULL, buf, len,
-                                              ':'))
-           && TEST_str_eq(out, test->in)
-           && TEST_true(OPENSSL_buf2hexstr_ex(out, sizeof(out), NULL, buf, 0,
-                                              ':'))
-           && TEST_size_t_eq(strlen(out), 0);
+                        ':'))
+           && TEST_str_eq(out, test->in);
 }
 

trunk/src/libs/openssl-3.1.7/test/keymgmt_internal_test.c

@@ -1 +1 @@
 /*
- * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -225 +225 @@
         goto err;
 
-    for (;;) {
+    while (dup_pk == NULL) {
         ret = 0;
         km = km3;
@@ -256 +256 @@
 
         ret = (ret == OSSL_NELEM(expected));
-
-        if (!ret || dup_pk != NULL)
-            break;
-
-        if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk)))
+        if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk)))
             goto err;
 

trunk/src/libs/openssl-3.1.7/test/pkey_meth_kdf_test.c

@@ -1 +1 @@
 /*
- * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -17 +17 @@
 #include "testutil.h"
 
-static int test_kdf_tls1_prf(int index)
+static int test_kdf_tls1_prf(void)
 {
     int ret = 0;
@@ -41 +41 @@
         goto err;
     }
-    if (index == 0) {
-        if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
-                                            (unsigned char *)"seed", 4) <= 0) {
-            TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
-            goto err;
-        }
-    } else {
-        if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
-                                            (unsigned char *)"se", 2) <= 0) {
-            TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
-            goto err;
-        }
-        if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
-                                            (unsigned char *)"ed", 2) <= 0) {
-            TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
-            goto err;
-        }
+    if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
+                                        (unsigned char *)"seed", 4) <= 0) {
+        TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
+        goto err;
     }
     if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
@@ -79 +66 @@
 }
 
-static int test_kdf_hkdf(int index)
+static int test_kdf_hkdf(void)
 {
     int ret = 0;
@@ -108 +95 @@
         goto err;
     }
-    if (index == 0) {
-        if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5)
+    if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5)
             <= 0) {
-            TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
-            goto err;
-        }
-    } else {
-        if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"lab", 3)
-            <= 0) {
-            TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
-            goto err;
-        }
-        if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"el", 2)
-            <= 0) {
-            TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
-            goto err;
-        }
+        TEST_error("EVP_PKEY_CTX_set1_hkdf_info");
+        goto err;
     }
     if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
@@ -222 +196 @@
 int setup_tests(void)
 {
-    int tests = 1;
-
-    if (fips_provider_version_ge(NULL, 3, 3, 1))
-        tests = 2;
-
-    ADD_ALL_TESTS(test_kdf_tls1_prf, tests);
-    ADD_ALL_TESTS(test_kdf_hkdf, tests);
+    ADD_TEST(test_kdf_tls1_prf);
+    ADD_TEST(test_kdf_hkdf);
 #ifndef OPENSSL_NO_SCRYPT
     ADD_TEST(test_kdf_scrypt);

trunk/src/libs/openssl-3.1.7/test/prov_config_test.c

@@ -1 +1 @@
 /*
- * Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -8 +8 @@
  */
 
-#include <sys/stat.h>
 #include <openssl/evp.h>
 #include <openssl/conf.h>
@@ -15 +14 @@
 static char *configfile = NULL;
 static char *recurseconfigfile = NULL;
-static char *pathedconfig = NULL;
 
 /*
@@ -27 +25 @@
     EVP_MD *sha256 = NULL;
 
+    if (!TEST_ptr(configfile))
+        return 0;
     if (!TEST_ptr(ctx))
         return 0;
 
     if (!TEST_true(OSSL_LIB_CTX_load_config(ctx, configfile)))
-        goto err;
+        return 0;
     if (!TEST_true(OSSL_LIB_CTX_load_config(ctx, configfile)))
-        goto err;
+        return 0;
 
     /* Check we can actually fetch something */
@@ -53 +53 @@
     unsigned long err;
 
+    if (!TEST_ptr(recurseconfigfile))
+        goto err;
+
     if (!TEST_ptr(ctx))
         goto err;
@@ -63 +66 @@
     if (ERR_GET_REASON(err) == CONF_R_RECURSIVE_SECTION_REFERENCE)
         testresult = 1;
- err:
-    OSSL_LIB_CTX_free(ctx);
-    return testresult;
-}
-
-#define P_TEST_PATH "/../test/p_test.so"
-static int test_path_config(void)
-{
-    OSSL_LIB_CTX *ctx = NULL;
-    OSSL_PROVIDER *prov;
-    int testresult = 0;
-    struct stat sbuf;
-    char *module_path = getenv("OPENSSL_MODULES");
-    char *full_path = NULL;
-    int rc;
-
-    if (!TEST_ptr(module_path))
-        return 0;
-
-    full_path = OPENSSL_zalloc(strlen(module_path) + strlen(P_TEST_PATH) + 1);
-    if (!TEST_ptr(full_path))
-        return 0;
-
-    strcpy(full_path, module_path);
-    full_path = strcat(full_path, P_TEST_PATH);
-    TEST_info("full path is %s", full_path);
-    rc = stat(full_path, &sbuf);
-    OPENSSL_free(full_path);
-    if (rc == -1)
-        return TEST_skip("Skipping modulepath test as provider not present");
-
-    if (!TEST_ptr(pathedconfig))
-        return 0;
-
-    ctx = OSSL_LIB_CTX_new();
-    if (!TEST_ptr(ctx))
-        return 0;
-
-    if (!TEST_true(OSSL_LIB_CTX_load_config(ctx, pathedconfig)))
-        goto err;
-
-    /* attempt to manually load the test provider */
-    if (!TEST_ptr(prov = OSSL_PROVIDER_load(ctx, "test")))
-        goto err;
-
-    OSSL_PROVIDER_unload(prov);
-
-    testresult = 1;
  err:
     OSSL_LIB_CTX_free(ctx);
@@ -131 +86 @@
         return 0;
 
-    if (!TEST_ptr(pathedconfig = test_get_argument(2)))
-        return 0;
-
     ADD_TEST(test_recursive_config);
     ADD_TEST(test_double_config);
-    ADD_TEST(test_path_config);
     return 1;
 }

trunk/src/libs/openssl-3.1.7/test/provider_fallback_test.c

@@ -1 +1 @@
 /*
- * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -40 +40 @@
 
     ok = TEST_ptr(ctx = OSSL_LIB_CTX_new())
-        && TEST_ptr(prov = OSSL_PROVIDER_load(ctx, "default"));
-
-    if (ok) {
-        ok = test_provider(ctx);
-        if (ok)
-            ok = TEST_true(OSSL_PROVIDER_unload(prov));
-        else
-            OSSL_PROVIDER_unload(prov);
-    }
+        && TEST_ptr(prov = OSSL_PROVIDER_load(ctx, "default"))
+        && test_provider(ctx)
+        && TEST_true(OSSL_PROVIDER_unload(prov));
 
     OSSL_LIB_CTX_free(ctx);

trunk/src/libs/openssl-3.1.7/test/provider_internal_test.c

@@ -1 +1 @@
 /*
- * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -23 +23 @@
 static int test_provider(OSSL_PROVIDER *prov, const char *expected_greeting)
 {
-    const char *greeting = "no greeting received";
+    const char *greeting = NULL;
     int ret = 0;
 

trunk/src/libs/openssl-3.1.7/test/provider_status_test.c

@@ -1 +1 @@
 /*
- * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -15 +15 @@
 #include <openssl/self_test.h>
 #include <openssl/evp.h>
-#include <openssl/rsa.h>
 #include "testutil.h"
 
@@ -149 +148 @@
     OSSL_PARAM params[2];
     EVP_MD *fetch = NULL;
-    EVP_PKEY_CTX *pctx = NULL;
-    EVP_PKEY *pkey = NULL;
 
     if (!TEST_ptr(prov = OSSL_PROVIDER_load(libctx, provider_name)))
@@ -167 +164 @@
     EVP_MD_free(fetch);
     fetch = NULL;
-    /* Use RNG before triggering on-demand self tests */
-    if (!TEST_ptr((pctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL)))
-        || !TEST_int_gt(EVP_PKEY_keygen_init(pctx), 0)
-        || !TEST_int_gt(EVP_PKEY_CTX_set_rsa_keygen_bits(pctx, 2048), 0)
-        || !TEST_int_gt(EVP_PKEY_keygen(pctx, &pkey), 0))
-        goto err;
-    EVP_PKEY_free(pkey);
-    EVP_PKEY_CTX_free(pctx);
-    pkey = NULL;
-    pctx = NULL;
 
     /* Test that the provider self test is ok */

trunk/src/libs/openssl-3.1.7/test/provider_test.c

@@ -1 +1 @@
 /*
- * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -198 +198 @@
     if (!TEST_true(OSSL_PROVIDER_add_builtin(libctx, name,
                                              PROVIDER_INIT_FUNCTION_NAME))) {
-        OSSL_PROVIDER_unload(legacy);
         OSSL_LIB_CTX_free(libctx);
         return 0;

trunk/src/libs/openssl-3.1.7/test/recipes/03-test_fipsinstall.t

@@ -1 +1 @@
 #! /usr/bin/env perl
-# Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -207 +207 @@
             '-provider_name', 'fips', '-mac_name', 'HMAC',
             '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
-            '-section_name', 'fips_sect', '-corrupt_desc', 'SHA2'])),
+            '-section_name', 'fips_sect', '-corrupt_desc', 'SHA1'])),
    "fipsinstall fails when the digest result is corrupted");
 

trunk/src/libs/openssl-3.1.7/test/recipes/04-test_conf.t

@@ -1 +1 @@
 #! /usr/bin/env perl
-# Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -19 +19 @@
     'dollarid_on.cnf'  => 'dollarid_on.txt',
     'dollarid_off.cnf' => 'dollarid_off.txt',
-    'oversized_line.cnf' => 'oversized_line.txt',
 );
 

trunk/src/libs/openssl-3.1.7/test/recipes/25-test_eai_data.t

@@ -1 +1 @@
 #! /usr/bin/env perl
-# Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -22 +22 @@
 #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem
 
-plan tests => 16;
+plan tests => 12;
 
 require_ok(srctop_file('test','recipes','tconversion.pl'));
@@ -29 +29 @@
 my $ascii_pem = srctop_file($folder, "ascii_leaf.pem");
 my $utf8_pem  = srctop_file($folder, "utf8_leaf.pem");
-my $kdc_pem   = srctop_file($folder, "kdc-cert.pem");
 
 my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem");
 my $utf8_chain_pem  = srctop_file($folder, "utf8_chain.pem");
-my $kdc_chain_pem  = srctop_file($folder, "kdc-root-cert.pem");
 
 my $out;
@@ -59 +57 @@
 ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem])));
 ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem])));
-ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem])));
 
 ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem])));
 ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem,  $ascii_pem])));
-
-# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated).
-ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem,  $kdc_pem])));
-# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated).
-ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", '[email protected]', "-CAfile", $kdc_chain_pem,  $kdc_pem])));
-# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String.
-ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", '[email protected]', "-CAfile", $kdc_chain_pem,  $kdc_pem])));
 
 #Check that we get the expected failure return code

trunk/src/libs/openssl-3.1.7/test/recipes/25-test_req.t

@@ -16 +16 @@
 setup("test_req");
 
-plan tests => 50;
+plan tests => 49;
 
 require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
@@ -54 +54 @@
 ok(!run(app([@addext_args, "-addext", $val2, "-addext", $val3])));
 ok(run(app([@addext_args, "-addext", "SXNetID=1:one, 2:two, 3:three"])));
-ok(run(app([@addext_args, "-addext", "subjectAltName=dirName:dirname_sec"])));
 
 # If a CSR is provided with neither of -key or -CA/-CAkey, this should fail.

trunk/src/libs/openssl-3.1.7/test/recipes/30-test_evp_data/evppkey_dsa.txt

@@ -1 +1 @@
 #
-# Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -271 +271 @@
 # Test sign with a 2048 bit key with N == 160 is not allowed in fips mode
 Availablein = fips
-FIPSversion = <3.4.0
 DigestSign = SHA256
 Key = DSA-2048-160
@@ -326 +325 @@
 # Test sign with a 1024 bit key is not allowed in fips mode
 Availablein = fips
-FIPSversion = <3.4.0
 DigestSign = SHA256
 Securitycheck = 1
@@ -343 +341 @@
 # Test sign with a 3072 bit key with N == 224 is not allowed in fips mode
 Availablein = fips
-FIPSversion = <3.4.0
 DigestSign = SHA256
 Securitycheck = 1
@@ -352 +349 @@
 # Test sign with a 4096 bit key is not allowed in fips mode
 Availablein = fips
-FIPSversion = <3.4.0
 DigestSign = SHA256
 Securitycheck = 1

trunk/src/libs/openssl-3.1.7/test/recipes/30-test_evp_data/evppkey_ecdsa.txt

@@ -1 +1 @@
 #
-# Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -217 +217 @@
 # Test that SHA1 is not allowed in fips mode for signing
 Availablein = fips
-FIPSversion = <3.4.0
 Sign = P-256
 Securitycheck = 1

trunk/src/libs/openssl-3.1.7/test/recipes/30-test_evp_data/evppkey_rsa_common.txt

@@ -1 +1 @@
 #
-# Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -1345 +1345 @@
 # Signing with SHA1 is not allowed in fips mode
 Availablein = fips
-FIPSversion = <3.4.0
 DigestSign = SHA1
 Securitycheck = 1

trunk/src/libs/openssl-3.1.7/test/recipes/30-test_prov_config.t

@@ -1 +1 @@
 #! /usr/bin/env perl
-# Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -24 +24 @@
 
 ok(run(test(["prov_config_test", srctop_file("test", "default.cnf"),
-                                 srctop_file("test", "recursive.cnf"),
-                                 srctop_file("test", "pathed.cnf")])),
+                                 srctop_file("test", "recursive.cnf")])),
     "running prov_config_test default.cnf");
 
@@ -32 +31 @@
 
     ok(run(test(["prov_config_test", srctop_file("test", "fips.cnf"),
-                                     srctop_file("test", "recursive.cnf"),
-                                     srctop_file("test", "pathed.cnf")])),
+                                     srctop_file("test", "recursive.cnf")])),
        "running prov_config_test fips.cnf");
 }

trunk/src/libs/openssl-3.1.7/test/recipes/80-test_pkcs12.t

@@ -55 +55 @@
 $ENV{OPENSSL_WIN32_UTF8}=1;
 
-plan tests => 20;
+plan tests => 17;
 
 # Test different PKCS#12 formats
@@ -163 +163 @@
            "test bad pkcs12 file 1 (nomacver)");
 
-        ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:",
-                    "-info"])),
-           "test bad pkcs12 file 1 (info)");
-
         ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:"])),
            "test bad pkcs12 file 2");
 
-        ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:",
-                    "-info"])),
-           "test bad pkcs12 file 2 (info)");
-
         ok(run(app(["openssl", "pkcs12", "-in", $bad3, "-password", "pass:"])),
            "test bad pkcs12 file 3");
-
-        ok(run(app(["openssl", "pkcs12", "-in", $bad3, "-password", "pass:",
-                    "-info"])),
-           "test bad pkcs12 file 3 (info)");
      });
 

trunk/src/libs/openssl-3.1.7/test/recipes/90-test_shlibload.t

@@ -1 +1 @@
 #! /usr/bin/env perl
-# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -24 +24 @@
 plan skip_all => "Test only supported in a dso build" if disabled("dso");
 plan skip_all => "Test is disabled in an address sanitizer build" unless disabled("asan");
-plan skip_all => "Test is disabled in no-atexit build" if disabled("atexit");
 
 plan tests => 10;

trunk/src/libs/openssl-3.1.7/test/recipes/90-test_sslapi.t

@@ -1 +1 @@
 #! /usr/bin/env perl
-# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -8 +8 @@
 
 use OpenSSL::Test::Utils;
-use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file result_dir result_file/;
+use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file/;
 use File::Temp qw(tempfile);
 
@@ -14 +14 @@
 setup("test_sslapi");
 }
+
+use lib srctop_dir('Configurations');
+use lib bldtop_dir('.');
 
 my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
@@ -23 +26 @@
 # A modified copy of "fipsmodule.cnf"
 my $fipsmodcfgnew_filename = "fipsmodule_mod.cnf";
-my $fipsmodcfgnew = result_file($fipsmodcfgnew_filename);
+my $fipsmodcfgnew = bldtop_file("test", $fipsmodcfgnew_filename);
 
 # A modified copy of "fips-and-base.cnf"
-my $provconfnew = result_file("fips-and-base-temp.cnf");
+my $provconfnew = bldtop_file("test", "temp.cnf");
 
 plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
@@ -49 +52 @@
         if $no_fips;
 
-    # NOTE that because by default we setup fips provider in pedantic mode,
-    # with >= 3.1.0 this just runs test_no_ems() to check that the connection
-    # fails if ems is not used and the fips check is enabled.
     ok(run(test(["sslapitest", srctop_dir("test", "certs"),
                  srctop_file("test", "recipes", "90-test_sslapi_data",
@@ -60 +60 @@
                              "90-test_sslapi_data",
                              "dhparams.pem")])),
-                 "running sslapitest with default fips config");
+                 "running sslapitest");
 
     run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
@@ -71 +71 @@
     # value in $repl and output to a new file $outfile.
     sub replace_line_file_internal {
-
+    
         my ($infile, $srch, $repl, $outfile) = @_;
         my $msg;
@@ -86 +86 @@
         return 1;
     }
-
+    
     # Read in the text input file $infile
     # and replace a single Key = Value line with a new value in $value.
@@ -103 +103 @@
         return replace_line_file_internal($infile, $srch, $rep, $outfile);
     }
-
+    
     # Read in the text $input file
     # and search for the $key and replace with $newkey
@@ -115 +115 @@
     }
 
-    # The default fipsmodule.cnf in tests is set with -pedantic.
-    # In order to enable the tls1-prf-ems-check=0 in a fips config file
+    # In order to enable the tls1-prf-ems-check=1 in a fips config file
     # copy the existing fipsmodule.cnf and modify it.
     # Then copy fips-and-base.cfg to make a file that includes the changed file
-    $ENV{OPENSSL_CONF_INCLUDE} = result_dir();
+    # NOTE that this just runs test_no_ems() to check that the connection
+    # fails if ems is not used and the fips check is enabled.
     ok(replace_kv_file($fipsmodcfg,
-                       'tls1-prf-ems-check', '0',
+                       'tls1-prf-ems-check', '1',
                        $fipsmodcfgnew)
        && replace_line_file($provconf,
@@ -135 +135 @@
                                 "90-test_sslapi_data",
                                 "dhparams.pem")])),
-       "running sslapitest with modified fips config");
+       "running sslapitest");
+
+    unlink $fipsmodcfgnew;
+    unlink $provconfnew;
 }
 

trunk/src/libs/openssl-3.1.7/test/sm2_internal_test.c

@@ -1 +1 @@
 /*
- * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -306 +306 @@
                          const char *k_hex,
                          const char *r_hex,
-                         const char *s_hex,
-                         int omit_pubkey)
+                         const char *s_hex)
 {
     const size_t msg_len = strlen(message);
@@ -329 +328 @@
         goto done;
 
-    if (omit_pubkey == 0) {
-        pt = EC_POINT_new(group);
-        if (!TEST_ptr(pt)
-                || !TEST_true(EC_POINT_mul(group, pt, priv, NULL, NULL, NULL))
-                || !TEST_true(EC_KEY_set_public_key(key, pt)))
-            goto done;
-    }
+    pt = EC_POINT_new(group);
+    if (!TEST_ptr(pt)
+            || !TEST_true(EC_POINT_mul(group, pt, priv, NULL, NULL, NULL))
+            || !TEST_true(EC_KEY_set_public_key(key, pt)))
+        goto done;
 
     start_fake_rand(k_hex);
@@ -396 +393 @@
                         "007c47811054c6f99613a578eb8453706ccb96384fe7df5c171671e760bfa8be3a",
                         "40F1EC59F793D9F49E09DCEF49130D4194F79FB1EED2CAA55BACDB49C4E755D1",
-                        "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7", 0)))
-        goto done;
-
-    /* Make sure we fail if we omit the public portion of the key */
-    if (!TEST_false(test_sm2_sign(
-                     test_group,
-                     /* the default ID specified in GM/T 0009-2012 (Sec. 10).*/
-                     SM2_DEFAULT_USERID,
-                     /* privkey */
-                     "3945208F7B2144B13F36E38AC6D39F95889393692860B51A42FB81EF4DF7C5B8",
-                     /* plaintext message */
-                     "message digest",
-                     /* ephemeral nonce k */
-                     "59276E27D506861A16680F3AD9C02DCCEF3CC1FA3CDBE4CE6D54B80DEAC1BC21",
-                     /* expected signature, */
-                     /* signature R, 0x20 bytes */
-                     "F5A03B0648D2C4630EEAC513E1BB81A15944DA3827D5B74143AC7EACEEE720B3",
-                     /* signature S, 0x20 bytes */
-                     "B1B6AA29DF212FD8763182BC0D421CA1BB9038FD1F7F42D4840B69C485BBC1AA", 1)))
+                        "6FC6DAC32C5D5CF10C77DFB20F7C2EB667A457872FB09EC56327A67EC7DEEBE7")))
         goto done;
 

trunk/src/libs/openssl-3.1.7/test/ssl-tests/08-npn.cnf

@@ -1 +1 @@
 # Generated with generate_ssl_tests.pl
 
-num_tests = 22
+num_tests = 20
 
 test-0 = 0-npn-simple
@@ -9 +9 @@
 test-4 = 4-npn-no-server-support
 test-5 = 5-npn-no-client-support
-test-6 = 6-npn-empty-client-list
-test-7 = 7-npn-empty-server-list
-test-8 = 8-npn-with-sni-no-context-switch
-test-9 = 9-npn-with-sni-context-switch
-test-10 = 10-npn-selected-sni-server-supports-npn
-test-11 = 11-npn-selected-sni-server-does-not-support-npn
-test-12 = 12-alpn-preferred-over-npn
-test-13 = 13-sni-npn-preferred-over-alpn
-test-14 = 14-npn-simple-resumption
-test-15 = 15-npn-server-switch-resumption
-test-16 = 16-npn-client-switch-resumption
-test-17 = 17-npn-client-first-pref-on-mismatch-resumption
-test-18 = 18-npn-no-server-support-resumption
-test-19 = 19-npn-no-client-support-resumption
-test-20 = 20-alpn-preferred-over-npn-resumption
-test-21 = 21-npn-used-if-alpn-not-supported-resumption
+test-6 = 6-npn-with-sni-no-context-switch
+test-7 = 7-npn-with-sni-context-switch
+test-8 = 8-npn-selected-sni-server-supports-npn
+test-9 = 9-npn-selected-sni-server-does-not-support-npn
+test-10 = 10-alpn-preferred-over-npn
+test-11 = 11-sni-npn-preferred-over-alpn
+test-12 = 12-npn-simple-resumption
+test-13 = 13-npn-server-switch-resumption
+test-14 = 14-npn-client-switch-resumption
+test-15 = 15-npn-client-first-pref-on-mismatch-resumption
+test-16 = 16-npn-no-server-support-resumption
+test-17 = 17-npn-no-client-support-resumption
+test-18 = 18-alpn-preferred-over-npn-resumption
+test-19 = 19-npn-used-if-alpn-not-supported-resumption
 # ===========================================================
 
@@ -209 +207 @@
 # ===========================================================
 
-[6-npn-empty-client-list]
-ssl_conf = 6-npn-empty-client-list-ssl
-
-[6-npn-empty-client-list-ssl]
-server = 6-npn-empty-client-list-server
-client = 6-npn-empty-client-list-client
-
-[6-npn-empty-client-list-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[6-npn-empty-client-list-client]
+[6-npn-with-sni-no-context-switch]
+ssl_conf = 6-npn-with-sni-no-context-switch-ssl
+
+[6-npn-with-sni-no-context-switch-ssl]
+server = 6-npn-with-sni-no-context-switch-server
+client = 6-npn-with-sni-no-context-switch-client
+server2 = 6-npn-with-sni-no-context-switch-server2
+
+[6-npn-with-sni-no-context-switch-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[6-npn-with-sni-no-context-switch-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[6-npn-with-sni-no-context-switch-client]
 CipherString = DEFAULT
 MaxProtocol = TLSv1.2
@@ -228 +232 @@
 
 [test-6]
-ExpectedClientAlert = HandshakeFailure
-ExpectedResult = ClientFail
-server = 6-npn-empty-client-list-server-extra
-client = 6-npn-empty-client-list-client-extra
-
-[6-npn-empty-client-list-server-extra]
-NPNProtocols = foo
-
-[6-npn-empty-client-list-client-extra]
-NPNProtocols = 
-
-
-# ===========================================================
-
-[7-npn-empty-server-list]
-ssl_conf = 7-npn-empty-server-list-ssl
-
-[7-npn-empty-server-list-ssl]
-server = 7-npn-empty-server-list-server
-client = 7-npn-empty-server-list-client
-
-[7-npn-empty-server-list-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[7-npn-empty-server-list-client]
-CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-7]
-ExpectedNPNProtocol = foo
-server = 7-npn-empty-server-list-server-extra
-client = 7-npn-empty-server-list-client-extra
-
-[7-npn-empty-server-list-server-extra]
-NPNProtocols = 
-
-[7-npn-empty-server-list-client-extra]
-NPNProtocols = foo
-
-
-# ===========================================================
-
-[8-npn-with-sni-no-context-switch]
-ssl_conf = 8-npn-with-sni-no-context-switch-ssl
-
-[8-npn-with-sni-no-context-switch-ssl]
-server = 8-npn-with-sni-no-context-switch-server
-client = 8-npn-with-sni-no-context-switch-client
-server2 = 8-npn-with-sni-no-context-switch-server2
-
-[8-npn-with-sni-no-context-switch-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[8-npn-with-sni-no-context-switch-server2]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[8-npn-with-sni-no-context-switch-client]
-CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-8]
 ExpectedNPNProtocol = foo
 ExpectedServerName = server1
-server = 8-npn-with-sni-no-context-switch-server-extra
-server2 = 8-npn-with-sni-no-context-switch-server2-extra
-client = 8-npn-with-sni-no-context-switch-client-extra
-
-[8-npn-with-sni-no-context-switch-server-extra]
+server = 6-npn-with-sni-no-context-switch-server-extra
+server2 = 6-npn-with-sni-no-context-switch-server2-extra
+client = 6-npn-with-sni-no-context-switch-client-extra
+
+[6-npn-with-sni-no-context-switch-server-extra]
 NPNProtocols = foo
 ServerNameCallback = IgnoreMismatch
 
-[8-npn-with-sni-no-context-switch-server2-extra]
-NPNProtocols = bar
-
-[8-npn-with-sni-no-context-switch-client-extra]
+[6-npn-with-sni-no-context-switch-server2-extra]
+NPNProtocols = bar
+
+[6-npn-with-sni-no-context-switch-client-extra]
 NPNProtocols = foo,bar
 ServerName = server1
@@ -319 +252 @@
 # ===========================================================
 
-[9-npn-with-sni-context-switch]
-ssl_conf = 9-npn-with-sni-context-switch-ssl
-
-[9-npn-with-sni-context-switch-ssl]
-server = 9-npn-with-sni-context-switch-server
-client = 9-npn-with-sni-context-switch-client
-server2 = 9-npn-with-sni-context-switch-server2
-
-[9-npn-with-sni-context-switch-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[9-npn-with-sni-context-switch-server2]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[9-npn-with-sni-context-switch-client]
-CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-9]
+[7-npn-with-sni-context-switch]
+ssl_conf = 7-npn-with-sni-context-switch-ssl
+
+[7-npn-with-sni-context-switch-ssl]
+server = 7-npn-with-sni-context-switch-server
+client = 7-npn-with-sni-context-switch-client
+server2 = 7-npn-with-sni-context-switch-server2
+
+[7-npn-with-sni-context-switch-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[7-npn-with-sni-context-switch-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[7-npn-with-sni-context-switch-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-7]
 ExpectedNPNProtocol = bar
 ExpectedServerName = server2
-server = 9-npn-with-sni-context-switch-server-extra
-server2 = 9-npn-with-sni-context-switch-server2-extra
-client = 9-npn-with-sni-context-switch-client-extra
-
-[9-npn-with-sni-context-switch-server-extra]
+server = 7-npn-with-sni-context-switch-server-extra
+server2 = 7-npn-with-sni-context-switch-server2-extra
+client = 7-npn-with-sni-context-switch-client-extra
+
+[7-npn-with-sni-context-switch-server-extra]
 NPNProtocols = foo
 ServerNameCallback = IgnoreMismatch
 
-[9-npn-with-sni-context-switch-server2-extra]
-NPNProtocols = bar
-
-[9-npn-with-sni-context-switch-client-extra]
+[7-npn-with-sni-context-switch-server2-extra]
+NPNProtocols = bar
+
+[7-npn-with-sni-context-switch-client-extra]
 NPNProtocols = foo,bar
 ServerName = server2
@@ -364 +297 @@
 # ===========================================================
 
-[10-npn-selected-sni-server-supports-npn]
-ssl_conf = 10-npn-selected-sni-server-supports-npn-ssl
-
-[10-npn-selected-sni-server-supports-npn-ssl]
-server = 10-npn-selected-sni-server-supports-npn-server
-client = 10-npn-selected-sni-server-supports-npn-client
-server2 = 10-npn-selected-sni-server-supports-npn-server2
-
-[10-npn-selected-sni-server-supports-npn-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[10-npn-selected-sni-server-supports-npn-server2]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[10-npn-selected-sni-server-supports-npn-client]
-CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-10]
+[8-npn-selected-sni-server-supports-npn]
+ssl_conf = 8-npn-selected-sni-server-supports-npn-ssl
+
+[8-npn-selected-sni-server-supports-npn-ssl]
+server = 8-npn-selected-sni-server-supports-npn-server
+client = 8-npn-selected-sni-server-supports-npn-client
+server2 = 8-npn-selected-sni-server-supports-npn-server2
+
+[8-npn-selected-sni-server-supports-npn-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[8-npn-selected-sni-server-supports-npn-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[8-npn-selected-sni-server-supports-npn-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-8]
 ExpectedNPNProtocol = bar
 ExpectedServerName = server2
-server = 10-npn-selected-sni-server-supports-npn-server-extra
-server2 = 10-npn-selected-sni-server-supports-npn-server2-extra
-client = 10-npn-selected-sni-server-supports-npn-client-extra
-
-[10-npn-selected-sni-server-supports-npn-server-extra]
+server = 8-npn-selected-sni-server-supports-npn-server-extra
+server2 = 8-npn-selected-sni-server-supports-npn-server2-extra
+client = 8-npn-selected-sni-server-supports-npn-client-extra
+
+[8-npn-selected-sni-server-supports-npn-server-extra]
 ServerNameCallback = IgnoreMismatch
 
-[10-npn-selected-sni-server-supports-npn-server2-extra]
-NPNProtocols = bar
-
-[10-npn-selected-sni-server-supports-npn-client-extra]
+[8-npn-selected-sni-server-supports-npn-server2-extra]
+NPNProtocols = bar
+
+[8-npn-selected-sni-server-supports-npn-client-extra]
 NPNProtocols = foo,bar
 ServerName = server2
@@ -408 +341 @@
 # ===========================================================
 
-[11-npn-selected-sni-server-does-not-support-npn]
-ssl_conf = 11-npn-selected-sni-server-does-not-support-npn-ssl
-
-[11-npn-selected-sni-server-does-not-support-npn-ssl]
-server = 11-npn-selected-sni-server-does-not-support-npn-server
-client = 11-npn-selected-sni-server-does-not-support-npn-client
-server2 = 11-npn-selected-sni-server-does-not-support-npn-server2
-
-[11-npn-selected-sni-server-does-not-support-npn-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[11-npn-selected-sni-server-does-not-support-npn-server2]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[11-npn-selected-sni-server-does-not-support-npn-client]
-CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-11]
+[9-npn-selected-sni-server-does-not-support-npn]
+ssl_conf = 9-npn-selected-sni-server-does-not-support-npn-ssl
+
+[9-npn-selected-sni-server-does-not-support-npn-ssl]
+server = 9-npn-selected-sni-server-does-not-support-npn-server
+client = 9-npn-selected-sni-server-does-not-support-npn-client
+server2 = 9-npn-selected-sni-server-does-not-support-npn-server2
+
+[9-npn-selected-sni-server-does-not-support-npn-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[9-npn-selected-sni-server-does-not-support-npn-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[9-npn-selected-sni-server-does-not-support-npn-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-9]
 ExpectedServerName = server2
-server = 11-npn-selected-sni-server-does-not-support-npn-server-extra
-client = 11-npn-selected-sni-server-does-not-support-npn-client-extra
-
-[11-npn-selected-sni-server-does-not-support-npn-server-extra]
+server = 9-npn-selected-sni-server-does-not-support-npn-server-extra
+client = 9-npn-selected-sni-server-does-not-support-npn-client-extra
+
+[9-npn-selected-sni-server-does-not-support-npn-server-extra]
 NPNProtocols = bar
 ServerNameCallback = IgnoreMismatch
 
-[11-npn-selected-sni-server-does-not-support-npn-client-extra]
+[9-npn-selected-sni-server-does-not-support-npn-client-extra]
 NPNProtocols = foo,bar
 ServerName = server2
@@ -448 +381 @@
 # ===========================================================
 
-[12-alpn-preferred-over-npn]
-ssl_conf = 12-alpn-preferred-over-npn-ssl
-
-[12-alpn-preferred-over-npn-ssl]
-server = 12-alpn-preferred-over-npn-server
-client = 12-alpn-preferred-over-npn-client
-
-[12-alpn-preferred-over-npn-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[12-alpn-preferred-over-npn-client]
-CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-12]
+[10-alpn-preferred-over-npn]
+ssl_conf = 10-alpn-preferred-over-npn-ssl
+
+[10-alpn-preferred-over-npn-ssl]
+server = 10-alpn-preferred-over-npn-server
+client = 10-alpn-preferred-over-npn-client
+
+[10-alpn-preferred-over-npn-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[10-alpn-preferred-over-npn-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-10]
 ExpectedALPNProtocol = foo
-server = 12-alpn-preferred-over-npn-server-extra
-client = 12-alpn-preferred-over-npn-client-extra
-
-[12-alpn-preferred-over-npn-server-extra]
+server = 10-alpn-preferred-over-npn-server-extra
+client = 10-alpn-preferred-over-npn-client-extra
+
+[10-alpn-preferred-over-npn-server-extra]
 ALPNProtocols = foo
 NPNProtocols = bar
 
-[12-alpn-preferred-over-npn-client-extra]
+[10-alpn-preferred-over-npn-client-extra]
 ALPNProtocols = foo
 NPNProtocols = bar
@@ -482 +415 @@
 # ===========================================================
 
-[13-sni-npn-preferred-over-alpn]
-ssl_conf = 13-sni-npn-preferred-over-alpn-ssl
-
-[13-sni-npn-preferred-over-alpn-ssl]
-server = 13-sni-npn-preferred-over-alpn-server
-client = 13-sni-npn-preferred-over-alpn-client
-server2 = 13-sni-npn-preferred-over-alpn-server2
-
-[13-sni-npn-preferred-over-alpn-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[13-sni-npn-preferred-over-alpn-server2]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[13-sni-npn-preferred-over-alpn-client]
-CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-13]
+[11-sni-npn-preferred-over-alpn]
+ssl_conf = 11-sni-npn-preferred-over-alpn-ssl
+
+[11-sni-npn-preferred-over-alpn-ssl]
+server = 11-sni-npn-preferred-over-alpn-server
+client = 11-sni-npn-preferred-over-alpn-client
+server2 = 11-sni-npn-preferred-over-alpn-server2
+
+[11-sni-npn-preferred-over-alpn-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[11-sni-npn-preferred-over-alpn-server2]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[11-sni-npn-preferred-over-alpn-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-11]
 ExpectedNPNProtocol = bar
 ExpectedServerName = server2
-server = 13-sni-npn-preferred-over-alpn-server-extra
-server2 = 13-sni-npn-preferred-over-alpn-server2-extra
-client = 13-sni-npn-preferred-over-alpn-client-extra
-
-[13-sni-npn-preferred-over-alpn-server-extra]
+server = 11-sni-npn-preferred-over-alpn-server-extra
+server2 = 11-sni-npn-preferred-over-alpn-server2-extra
+client = 11-sni-npn-preferred-over-alpn-client-extra
+
+[11-sni-npn-preferred-over-alpn-server-extra]
 ALPNProtocols = foo
 ServerNameCallback = IgnoreMismatch
 
-[13-sni-npn-preferred-over-alpn-server2-extra]
-NPNProtocols = bar
-
-[13-sni-npn-preferred-over-alpn-client-extra]
+[11-sni-npn-preferred-over-alpn-server2-extra]
+NPNProtocols = bar
+
+[11-sni-npn-preferred-over-alpn-client-extra]
 ALPNProtocols = foo
 NPNProtocols = bar
@@ -528 +461 @@
 # ===========================================================
 
-[14-npn-simple-resumption]
-ssl_conf = 14-npn-simple-resumption-ssl
-
-[14-npn-simple-resumption-ssl]
-server = 14-npn-simple-resumption-server
-client = 14-npn-simple-resumption-client
-resume-server = 14-npn-simple-resumption-server
-resume-client = 14-npn-simple-resumption-client
-
-[14-npn-simple-resumption-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[14-npn-simple-resumption-client]
-CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-14]
+[12-npn-simple-resumption]
+ssl_conf = 12-npn-simple-resumption-ssl
+
+[12-npn-simple-resumption-ssl]
+server = 12-npn-simple-resumption-server
+client = 12-npn-simple-resumption-client
+resume-server = 12-npn-simple-resumption-server
+resume-client = 12-npn-simple-resumption-client
+
+[12-npn-simple-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[12-npn-simple-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-12]
 ExpectedNPNProtocol = foo
 HandshakeMode = Resume
 ResumptionExpected = Yes
-server = 14-npn-simple-resumption-server-extra
-resume-server = 14-npn-simple-resumption-server-extra
-client = 14-npn-simple-resumption-client-extra
-resume-client = 14-npn-simple-resumption-client-extra
-
-[14-npn-simple-resumption-server-extra]
-NPNProtocols = foo
-
-[14-npn-simple-resumption-client-extra]
-NPNProtocols = foo
-
-
-# ===========================================================
-
-[15-npn-server-switch-resumption]
-ssl_conf = 15-npn-server-switch-resumption-ssl
-
-[15-npn-server-switch-resumption-ssl]
-server = 15-npn-server-switch-resumption-server
-client = 15-npn-server-switch-resumption-client
-resume-server = 15-npn-server-switch-resumption-resume-server
-resume-client = 15-npn-server-switch-resumption-client
-
-[15-npn-server-switch-resumption-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[15-npn-server-switch-resumption-resume-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[15-npn-server-switch-resumption-client]
-CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-15]
+server = 12-npn-simple-resumption-server-extra
+resume-server = 12-npn-simple-resumption-server-extra
+client = 12-npn-simple-resumption-client-extra
+resume-client = 12-npn-simple-resumption-client-extra
+
+[12-npn-simple-resumption-server-extra]
+NPNProtocols = foo
+
+[12-npn-simple-resumption-client-extra]
+NPNProtocols = foo
+
+
+# ===========================================================
+
+[13-npn-server-switch-resumption]
+ssl_conf = 13-npn-server-switch-resumption-ssl
+
+[13-npn-server-switch-resumption-ssl]
+server = 13-npn-server-switch-resumption-server
+client = 13-npn-server-switch-resumption-client
+resume-server = 13-npn-server-switch-resumption-resume-server
+resume-client = 13-npn-server-switch-resumption-client
+
+[13-npn-server-switch-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[13-npn-server-switch-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[13-npn-server-switch-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-13]
 ExpectedNPNProtocol = baz
 HandshakeMode = Resume
 ResumptionExpected = Yes
-server = 15-npn-server-switch-resumption-server-extra
-resume-server = 15-npn-server-switch-resumption-resume-server-extra
-client = 15-npn-server-switch-resumption-client-extra
-resume-client = 15-npn-server-switch-resumption-client-extra
-
-[15-npn-server-switch-resumption-server-extra]
+server = 13-npn-server-switch-resumption-server-extra
+resume-server = 13-npn-server-switch-resumption-resume-server-extra
+client = 13-npn-server-switch-resumption-client-extra
+resume-client = 13-npn-server-switch-resumption-client-extra
+
+[13-npn-server-switch-resumption-server-extra]
 NPNProtocols = bar,foo
 
-[15-npn-server-switch-resumption-resume-server-extra]
+[13-npn-server-switch-resumption-resume-server-extra]
 NPNProtocols = baz,foo
 
-[15-npn-server-switch-resumption-client-extra]
+[13-npn-server-switch-resumption-client-extra]
 NPNProtocols = foo,bar,baz
 
@@ -612 +545 @@
 # ===========================================================
 
-[16-npn-client-switch-resumption]
-ssl_conf = 16-npn-client-switch-resumption-ssl
-
-[16-npn-client-switch-resumption-ssl]
-server = 16-npn-client-switch-resumption-server
-client = 16-npn-client-switch-resumption-client
-resume-server = 16-npn-client-switch-resumption-server
-resume-client = 16-npn-client-switch-resumption-resume-client
-
-[16-npn-client-switch-resumption-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[16-npn-client-switch-resumption-client]
-CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[16-npn-client-switch-resumption-resume-client]
-CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-16]
+[14-npn-client-switch-resumption]
+ssl_conf = 14-npn-client-switch-resumption-ssl
+
+[14-npn-client-switch-resumption-ssl]
+server = 14-npn-client-switch-resumption-server
+client = 14-npn-client-switch-resumption-client
+resume-server = 14-npn-client-switch-resumption-server
+resume-client = 14-npn-client-switch-resumption-resume-client
+
+[14-npn-client-switch-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[14-npn-client-switch-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[14-npn-client-switch-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-14]
 ExpectedNPNProtocol = bar
 HandshakeMode = Resume
 ResumptionExpected = Yes
-server = 16-npn-client-switch-resumption-server-extra
-resume-server = 16-npn-client-switch-resumption-server-extra
-client = 16-npn-client-switch-resumption-client-extra
-resume-client = 16-npn-client-switch-resumption-resume-client-extra
-
-[16-npn-client-switch-resumption-server-extra]
+server = 14-npn-client-switch-resumption-server-extra
+resume-server = 14-npn-client-switch-resumption-server-extra
+client = 14-npn-client-switch-resumption-client-extra
+resume-client = 14-npn-client-switch-resumption-resume-client-extra
+
+[14-npn-client-switch-resumption-server-extra]
 NPNProtocols = foo,bar,baz
 
-[16-npn-client-switch-resumption-client-extra]
+[14-npn-client-switch-resumption-client-extra]
 NPNProtocols = foo,baz
 
-[16-npn-client-switch-resumption-resume-client-extra]
+[14-npn-client-switch-resumption-resume-client-extra]
 NPNProtocols = bar,baz
 
@@ -659 +592 @@
 # ===========================================================
 
-[17-npn-client-first-pref-on-mismatch-resumption]
-ssl_conf = 17-npn-client-first-pref-on-mismatch-resumption-ssl
-
-[17-npn-client-first-pref-on-mismatch-resumption-ssl]
-server = 17-npn-client-first-pref-on-mismatch-resumption-server
-client = 17-npn-client-first-pref-on-mismatch-resumption-client
-resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server
-resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client
-
-[17-npn-client-first-pref-on-mismatch-resumption-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[17-npn-client-first-pref-on-mismatch-resumption-resume-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[17-npn-client-first-pref-on-mismatch-resumption-client]
-CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-17]
+[15-npn-client-first-pref-on-mismatch-resumption]
+ssl_conf = 15-npn-client-first-pref-on-mismatch-resumption-ssl
+
+[15-npn-client-first-pref-on-mismatch-resumption-ssl]
+server = 15-npn-client-first-pref-on-mismatch-resumption-server
+client = 15-npn-client-first-pref-on-mismatch-resumption-client
+resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server
+resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client
+
+[15-npn-client-first-pref-on-mismatch-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[15-npn-client-first-pref-on-mismatch-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[15-npn-client-first-pref-on-mismatch-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-15]
 ExpectedNPNProtocol = foo
 HandshakeMode = Resume
 ResumptionExpected = Yes
-server = 17-npn-client-first-pref-on-mismatch-resumption-server-extra
-resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra
-client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra
-resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra
-
-[17-npn-client-first-pref-on-mismatch-resumption-server-extra]
-NPNProtocols = bar
-
-[17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra]
+server = 15-npn-client-first-pref-on-mismatch-resumption-server-extra
+resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra
+client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra
+resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra
+
+[15-npn-client-first-pref-on-mismatch-resumption-server-extra]
+NPNProtocols = bar
+
+[15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra]
 NPNProtocols = baz
 
-[17-npn-client-first-pref-on-mismatch-resumption-client-extra]
+[15-npn-client-first-pref-on-mismatch-resumption-client-extra]
 NPNProtocols = foo,bar
 
@@ -705 +638 @@
 # ===========================================================
 
-[18-npn-no-server-support-resumption]
-ssl_conf = 18-npn-no-server-support-resumption-ssl
-
-[18-npn-no-server-support-resumption-ssl]
-server = 18-npn-no-server-support-resumption-server
-client = 18-npn-no-server-support-resumption-client
-resume-server = 18-npn-no-server-support-resumption-resume-server
-resume-client = 18-npn-no-server-support-resumption-client
-
-[18-npn-no-server-support-resumption-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[18-npn-no-server-support-resumption-resume-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[18-npn-no-server-support-resumption-client]
-CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-18]
+[16-npn-no-server-support-resumption]
+ssl_conf = 16-npn-no-server-support-resumption-ssl
+
+[16-npn-no-server-support-resumption-ssl]
+server = 16-npn-no-server-support-resumption-server
+client = 16-npn-no-server-support-resumption-client
+resume-server = 16-npn-no-server-support-resumption-resume-server
+resume-client = 16-npn-no-server-support-resumption-client
+
+[16-npn-no-server-support-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[16-npn-no-server-support-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[16-npn-no-server-support-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-16]
 HandshakeMode = Resume
 ResumptionExpected = Yes
-server = 18-npn-no-server-support-resumption-server-extra
-client = 18-npn-no-server-support-resumption-client-extra
-resume-client = 18-npn-no-server-support-resumption-client-extra
-
-[18-npn-no-server-support-resumption-server-extra]
-NPNProtocols = foo
-
-[18-npn-no-server-support-resumption-client-extra]
-NPNProtocols = foo
-
-
-# ===========================================================
-
-[19-npn-no-client-support-resumption]
-ssl_conf = 19-npn-no-client-support-resumption-ssl
-
-[19-npn-no-client-support-resumption-ssl]
-server = 19-npn-no-client-support-resumption-server
-client = 19-npn-no-client-support-resumption-client
-resume-server = 19-npn-no-client-support-resumption-server
-resume-client = 19-npn-no-client-support-resumption-resume-client
-
-[19-npn-no-client-support-resumption-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[19-npn-no-client-support-resumption-client]
-CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[19-npn-no-client-support-resumption-resume-client]
-CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-19]
+server = 16-npn-no-server-support-resumption-server-extra
+client = 16-npn-no-server-support-resumption-client-extra
+resume-client = 16-npn-no-server-support-resumption-client-extra
+
+[16-npn-no-server-support-resumption-server-extra]
+NPNProtocols = foo
+
+[16-npn-no-server-support-resumption-client-extra]
+NPNProtocols = foo
+
+
+# ===========================================================
+
+[17-npn-no-client-support-resumption]
+ssl_conf = 17-npn-no-client-support-resumption-ssl
+
+[17-npn-no-client-support-resumption-ssl]
+server = 17-npn-no-client-support-resumption-server
+client = 17-npn-no-client-support-resumption-client
+resume-server = 17-npn-no-client-support-resumption-server
+resume-client = 17-npn-no-client-support-resumption-resume-client
+
+[17-npn-no-client-support-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[17-npn-no-client-support-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[17-npn-no-client-support-resumption-resume-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-17]
 HandshakeMode = Resume
 ResumptionExpected = Yes
-server = 19-npn-no-client-support-resumption-server-extra
-resume-server = 19-npn-no-client-support-resumption-server-extra
-client = 19-npn-no-client-support-resumption-client-extra
-
-[19-npn-no-client-support-resumption-server-extra]
-NPNProtocols = foo
-
-[19-npn-no-client-support-resumption-client-extra]
-NPNProtocols = foo
-
-
-# ===========================================================
-
-[20-alpn-preferred-over-npn-resumption]
-ssl_conf = 20-alpn-preferred-over-npn-resumption-ssl
-
-[20-alpn-preferred-over-npn-resumption-ssl]
-server = 20-alpn-preferred-over-npn-resumption-server
-client = 20-alpn-preferred-over-npn-resumption-client
-resume-server = 20-alpn-preferred-over-npn-resumption-resume-server
-resume-client = 20-alpn-preferred-over-npn-resumption-client
-
-[20-alpn-preferred-over-npn-resumption-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[20-alpn-preferred-over-npn-resumption-resume-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[20-alpn-preferred-over-npn-resumption-client]
-CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-20]
+server = 17-npn-no-client-support-resumption-server-extra
+resume-server = 17-npn-no-client-support-resumption-server-extra
+client = 17-npn-no-client-support-resumption-client-extra
+
+[17-npn-no-client-support-resumption-server-extra]
+NPNProtocols = foo
+
+[17-npn-no-client-support-resumption-client-extra]
+NPNProtocols = foo
+
+
+# ===========================================================
+
+[18-alpn-preferred-over-npn-resumption]
+ssl_conf = 18-alpn-preferred-over-npn-resumption-ssl
+
+[18-alpn-preferred-over-npn-resumption-ssl]
+server = 18-alpn-preferred-over-npn-resumption-server
+client = 18-alpn-preferred-over-npn-resumption-client
+resume-server = 18-alpn-preferred-over-npn-resumption-resume-server
+resume-client = 18-alpn-preferred-over-npn-resumption-client
+
+[18-alpn-preferred-over-npn-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[18-alpn-preferred-over-npn-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[18-alpn-preferred-over-npn-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-18]
 ExpectedALPNProtocol = foo
 HandshakeMode = Resume
 ResumptionExpected = Yes
-server = 20-alpn-preferred-over-npn-resumption-server-extra
-resume-server = 20-alpn-preferred-over-npn-resumption-resume-server-extra
-client = 20-alpn-preferred-over-npn-resumption-client-extra
-resume-client = 20-alpn-preferred-over-npn-resumption-client-extra
-
-[20-alpn-preferred-over-npn-resumption-server-extra]
-NPNProtocols = bar
-
-[20-alpn-preferred-over-npn-resumption-resume-server-extra]
+server = 18-alpn-preferred-over-npn-resumption-server-extra
+resume-server = 18-alpn-preferred-over-npn-resumption-resume-server-extra
+client = 18-alpn-preferred-over-npn-resumption-client-extra
+resume-client = 18-alpn-preferred-over-npn-resumption-client-extra
+
+[18-alpn-preferred-over-npn-resumption-server-extra]
+NPNProtocols = bar
+
+[18-alpn-preferred-over-npn-resumption-resume-server-extra]
 ALPNProtocols = foo
 NPNProtocols = baz
 
-[20-alpn-preferred-over-npn-resumption-client-extra]
+[18-alpn-preferred-over-npn-resumption-client-extra]
 ALPNProtocols = foo
 NPNProtocols = bar,baz
@@ -836 +769 @@
 # ===========================================================
 
-[21-npn-used-if-alpn-not-supported-resumption]
-ssl_conf = 21-npn-used-if-alpn-not-supported-resumption-ssl
-
-[21-npn-used-if-alpn-not-supported-resumption-ssl]
-server = 21-npn-used-if-alpn-not-supported-resumption-server
-client = 21-npn-used-if-alpn-not-supported-resumption-client
-resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server
-resume-client = 21-npn-used-if-alpn-not-supported-resumption-client
-
-[21-npn-used-if-alpn-not-supported-resumption-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[21-npn-used-if-alpn-not-supported-resumption-resume-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[21-npn-used-if-alpn-not-supported-resumption-client]
-CipherString = DEFAULT
-MaxProtocol = TLSv1.2
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-21]
+[19-npn-used-if-alpn-not-supported-resumption]
+ssl_conf = 19-npn-used-if-alpn-not-supported-resumption-ssl
+
+[19-npn-used-if-alpn-not-supported-resumption-ssl]
+server = 19-npn-used-if-alpn-not-supported-resumption-server
+client = 19-npn-used-if-alpn-not-supported-resumption-client
+resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server
+resume-client = 19-npn-used-if-alpn-not-supported-resumption-client
+
+[19-npn-used-if-alpn-not-supported-resumption-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[19-npn-used-if-alpn-not-supported-resumption-resume-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[19-npn-used-if-alpn-not-supported-resumption-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-19]
 ExpectedNPNProtocol = baz
 HandshakeMode = Resume
 ResumptionExpected = Yes
-server = 21-npn-used-if-alpn-not-supported-resumption-server-extra
-resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server-extra
-client = 21-npn-used-if-alpn-not-supported-resumption-client-extra
-resume-client = 21-npn-used-if-alpn-not-supported-resumption-client-extra
-
-[21-npn-used-if-alpn-not-supported-resumption-server-extra]
+server = 19-npn-used-if-alpn-not-supported-resumption-server-extra
+resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server-extra
+client = 19-npn-used-if-alpn-not-supported-resumption-client-extra
+resume-client = 19-npn-used-if-alpn-not-supported-resumption-client-extra
+
+[19-npn-used-if-alpn-not-supported-resumption-server-extra]
 ALPNProtocols = foo
 NPNProtocols = bar
 
-[21-npn-used-if-alpn-not-supported-resumption-resume-server-extra]
+[19-npn-used-if-alpn-not-supported-resumption-resume-server-extra]
 NPNProtocols = baz
 
-[21-npn-used-if-alpn-not-supported-resumption-client-extra]
+[19-npn-used-if-alpn-not-supported-resumption-client-extra]
 ALPNProtocols = foo
 NPNProtocols = bar,baz

trunk/src/libs/openssl-3.1.7/test/ssl-tests/08-npn.cnf.in

@@ -1 +1 @@
 # -*- mode: perl; -*-
-# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -112 +112 @@
     },
     {
-        name => "npn-empty-client-list",
-        server => {
-            extra => {
-                "NPNProtocols" => "foo",
-            },
-        },
-        client => {
-            extra => {
-                "NPNProtocols" => "",
-            },
-            "MaxProtocol" => "TLSv1.2"
-        },
-        test => {
-            "ExpectedResult" => "ClientFail",
-            "ExpectedClientAlert" => "HandshakeFailure"
-        },
-    },
-    {
-        name => "npn-empty-server-list",
-        server => {
-            extra => {
-                "NPNProtocols" => "",
-            },
-        },
-        client => {
-            extra => {
-                "NPNProtocols" => "foo",
-            },
-            "MaxProtocol" => "TLSv1.2"
-        },
-        test => {
-            "ExpectedNPNProtocol" => "foo"
-        },
-    },
-    {
         name => "npn-with-sni-no-context-switch",
         server => {

trunk/src/libs/openssl-3.1.7/test/ssl-tests/09-alpn.cnf

@@ -1 +1 @@
 # Generated with generate_ssl_tests.pl
 
-num_tests = 18
+num_tests = 16
 
 test-0 = 0-alpn-simple
@@ -19 +19 @@
 test-14 = 14-alpn-no-server-support-resumption
 test-15 = 15-alpn-no-client-support-resumption
-test-16 = 16-alpn-empty-client-list
-test-17 = 17-alpn-empty-server-list
 # ===========================================================
 
@@ -620 +618 @@
 
 
-# ===========================================================
-
-[16-alpn-empty-client-list]
-ssl_conf = 16-alpn-empty-client-list-ssl
-
-[16-alpn-empty-client-list-ssl]
-server = 16-alpn-empty-client-list-server
-client = 16-alpn-empty-client-list-client
-
-[16-alpn-empty-client-list-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[16-alpn-empty-client-list-client]
-CipherString = DEFAULT
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-16]
-server = 16-alpn-empty-client-list-server-extra
-client = 16-alpn-empty-client-list-client-extra
-
-[16-alpn-empty-client-list-server-extra]
-ALPNProtocols = foo
-
-[16-alpn-empty-client-list-client-extra]
-ALPNProtocols = 
-
-
-# ===========================================================
-
-[17-alpn-empty-server-list]
-ssl_conf = 17-alpn-empty-server-list-ssl
-
-[17-alpn-empty-server-list-ssl]
-server = 17-alpn-empty-server-list-server
-client = 17-alpn-empty-server-list-client
-
-[17-alpn-empty-server-list-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[17-alpn-empty-server-list-client]
-CipherString = DEFAULT
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-17]
-ExpectedResult = ServerFail
-ExpectedServerAlert = NoApplicationProtocol
-server = 17-alpn-empty-server-list-server-extra
-client = 17-alpn-empty-server-list-client-extra
-
-[17-alpn-empty-server-list-server-extra]
-ALPNProtocols = 
-
-[17-alpn-empty-server-list-client-extra]
-ALPNProtocols = foo
-
-

trunk/src/libs/openssl-3.1.7/test/ssl-tests/09-alpn.cnf.in

@@ -1 +1 @@
 # -*- mode: perl; -*-
-# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -323 +323 @@
         },
     },
-    {
-        name => "alpn-empty-client-list",
-        server => {
-            extra => {
-                "ALPNProtocols" => "foo",
-            },
-        },
-        client => {
-            extra => {
-                "ALPNProtocols" => "",
-            },
-        },
-        test => {
-            "ExpectedALPNProtocol" => undef,
-        },
-    },
-    {
-        name => "alpn-empty-server-list",
-        server => {
-            extra => {
-                "ALPNProtocols" => "",
-            },
-        },
-        client => {
-            extra => {
-                "ALPNProtocols" => "foo",
-            },
-        },
-        test => {
-            "ExpectedResult" => "ServerFail",
-            "ExpectedServerAlert" => "NoApplicationProtocol",
-        },
-    },
 );

trunk/src/libs/openssl-3.1.7/test/ssl-tests/14-curves.cnf.in

@@ -13 +13 @@
 our $fips_mode;
 
-my @curves = ("prime256v1", "secp384r1", "secp521r1");
-
-my @curves_no_fips = ("X25519", "X448");
-
-push @curves, @curves_no_fips if !$fips_mode;
+my @curves = ("prime256v1", "secp384r1", "secp521r1", "X25519",
+              "X448");
 
 #Curves *only* suitable for use in TLSv1.3

trunk/src/libs/openssl-3.1.7/test/ssl-tests/20-cert-select.cnf

@@ -20 +20 @@
 test-15 = 15-Ed25519 CipherString and Signature Algorithm Selection
 test-16 = 16-Ed448 CipherString and Signature Algorithm Selection
-test-17 = 17-TLS 1.2 Ed25519 Client Auth
-test-18 = 18-TLS 1.2 Ed448 Client Auth
-test-19 = 19-ECDSA Signature Algorithm Selection SHA1
-test-20 = 20-ECDSA with brainpool
-test-21 = 21-Ed25519 CipherString and Curves Selection
-test-22 = 22-Ed448 CipherString and Curves Selection
+test-17 = 17-Ed25519 CipherString and Curves Selection
+test-18 = 18-Ed448 CipherString and Curves Selection
+test-19 = 19-TLS 1.2 Ed25519 Client Auth
+test-20 = 20-TLS 1.2 Ed448 Client Auth
+test-21 = 21-ECDSA Signature Algorithm Selection SHA1
+test-22 = 22-ECDSA with brainpool
 test-23 = 23-RSA-PSS Certificate CipherString Selection
 test-24 = 24-RSA-PSS Certificate Legacy Signature Algorithm Selection
@@ -603 +603 @@
 # ===========================================================
 
-[17-TLS 1.2 Ed25519 Client Auth]
-ssl_conf = 17-TLS 1.2 Ed25519 Client Auth-ssl
-
-[17-TLS 1.2 Ed25519 Client Auth-ssl]
-server = 17-TLS 1.2 Ed25519 Client Auth-server
-client = 17-TLS 1.2 Ed25519 Client Auth-client
-
-[17-TLS 1.2 Ed25519 Client Auth-server]
+[17-Ed25519 CipherString and Curves Selection]
+ssl_conf = 17-Ed25519 CipherString and Curves Selection-ssl
+
+[17-Ed25519 CipherString and Curves Selection-ssl]
+server = 17-Ed25519 CipherString and Curves Selection-server
+client = 17-Ed25519 CipherString and Curves Selection-client
+
+[17-Ed25519 CipherString and Curves Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[17-Ed25519 CipherString and Curves Selection-client]
+CipherString = aECDSA
+Curves = X25519
+MaxProtocol = TLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ed25519
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-17]
+ExpectedResult = Success
+ExpectedServerCertType = Ed25519
+ExpectedServerSignType = Ed25519
+
+
+# ===========================================================
+
+[18-Ed448 CipherString and Curves Selection]
+ssl_conf = 18-Ed448 CipherString and Curves Selection-ssl
+
+[18-Ed448 CipherString and Curves Selection-ssl]
+server = 18-Ed448 CipherString and Curves Selection-server
+client = 18-Ed448 CipherString and Curves Selection-client
+
+[18-Ed448 CipherString and Curves Selection-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
+Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
+Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
+Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[18-Ed448 CipherString and Curves Selection-client]
+CipherString = aECDSA
+Curves = X448
+MaxProtocol = TLSv1.2
+SignatureAlgorithms = ECDSA+SHA256:ed448
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
+VerifyMode = Peer
+
+[test-18]
+ExpectedResult = Success
+ExpectedServerCertType = Ed448
+ExpectedServerSignType = Ed448
+
+
+# ===========================================================
+
+[19-TLS 1.2 Ed25519 Client Auth]
+ssl_conf = 19-TLS 1.2 Ed25519 Client Auth-ssl
+
+[19-TLS 1.2 Ed25519 Client Auth-ssl]
+server = 19-TLS 1.2 Ed25519 Client Auth-server
+client = 19-TLS 1.2 Ed25519 Client Auth-client
+
+[19-TLS 1.2 Ed25519 Client Auth-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
@@ -617 +687 @@
 VerifyMode = Require
 
-[17-TLS 1.2 Ed25519 Client Auth-client]
+[19-TLS 1.2 Ed25519 Client Auth-client]
 CipherString = DEFAULT
 Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed25519-cert.pem
@@ -626 +696 @@
 VerifyMode = Peer
 
-[test-17]
+[test-19]
 ExpectedClientCertType = Ed25519
 ExpectedClientSignType = Ed25519
@@ -634 +704 @@
 # ===========================================================
 
-[18-TLS 1.2 Ed448 Client Auth]
-ssl_conf = 18-TLS 1.2 Ed448 Client Auth-ssl
-
-[18-TLS 1.2 Ed448 Client Auth-ssl]
-server = 18-TLS 1.2 Ed448 Client Auth-server
-client = 18-TLS 1.2 Ed448 Client Auth-client
-
-[18-TLS 1.2 Ed448 Client Auth-server]
+[20-TLS 1.2 Ed448 Client Auth]
+ssl_conf = 20-TLS 1.2 Ed448 Client Auth-ssl
+
+[20-TLS 1.2 Ed448 Client Auth-ssl]
+server = 20-TLS 1.2 Ed448 Client Auth-server
+client = 20-TLS 1.2 Ed448 Client Auth-client
+
+[20-TLS 1.2 Ed448 Client Auth-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
@@ -648 +718 @@
 VerifyMode = Require
 
-[18-TLS 1.2 Ed448 Client Auth-client]
+[20-TLS 1.2 Ed448 Client Auth-client]
 CipherString = DEFAULT
 Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/client-ed448-cert.pem
@@ -657 +727 @@
 VerifyMode = Peer
 
-[test-18]
+[test-20]
 ExpectedClientCertType = Ed448
 ExpectedClientSignType = Ed448
@@ -665 +735 @@
 # ===========================================================
 
-[19-ECDSA Signature Algorithm Selection SHA1]
-ssl_conf = 19-ECDSA Signature Algorithm Selection SHA1-ssl
-
-[19-ECDSA Signature Algorithm Selection SHA1-ssl]
-server = 19-ECDSA Signature Algorithm Selection SHA1-server
-client = 19-ECDSA Signature Algorithm Selection SHA1-client
-
-[19-ECDSA Signature Algorithm Selection SHA1-server]
+[21-ECDSA Signature Algorithm Selection SHA1]
+ssl_conf = 21-ECDSA Signature Algorithm Selection SHA1-ssl
+
+[21-ECDSA Signature Algorithm Selection SHA1-ssl]
+server = 21-ECDSA Signature Algorithm Selection SHA1-server
+client = 21-ECDSA Signature Algorithm Selection SHA1-client
+
+[21-ECDSA Signature Algorithm Selection SHA1-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT:@SECLEVEL=0
@@ -684 +754 @@
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[19-ECDSA Signature Algorithm Selection SHA1-client]
+[21-ECDSA Signature Algorithm Selection SHA1-client]
 CipherString = DEFAULT:@SECLEVEL=0
 SignatureAlgorithms = ECDSA+SHA1
@@ -690 +760 @@
 VerifyMode = Peer
 
-[test-19]
+[test-21]
 ExpectedResult = Success
 ExpectedServerCertType = P-256
@@ -699 +769 @@
 # ===========================================================
 
-[20-ECDSA with brainpool]
-ssl_conf = 20-ECDSA with brainpool-ssl
-
-[20-ECDSA with brainpool-ssl]
-server = 20-ECDSA with brainpool-server
-client = 20-ECDSA with brainpool-client
-
-[20-ECDSA with brainpool-server]
+[22-ECDSA with brainpool]
+ssl_conf = 22-ECDSA with brainpool-ssl
+
+[22-ECDSA with brainpool-ssl]
+server = 22-ECDSA with brainpool-server
+client = 22-ECDSA with brainpool-client
+
+[22-ECDSA with brainpool-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
 CipherString = DEFAULT
@@ -712 +782 @@
 PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
 
-[20-ECDSA with brainpool-client]
+[22-ECDSA with brainpool-client]
 CipherString = aECDSA
 Groups = brainpoolP256r1
@@ -720 +790 @@
 VerifyMode = Peer
 
-[test-20]
+[test-22]
 ExpectedResult = Success
 ExpectedServerCANames = empty
 ExpectedServerCertType = brainpoolP256r1
 ExpectedServerSignType = EC
-
-
-# ===========================================================
-
-[21-Ed25519 CipherString and Curves Selection]
-ssl_conf = 21-Ed25519 CipherString and Curves Selection-ssl
-
-[21-Ed25519 CipherString and Curves Selection-ssl]
-server = 21-Ed25519 CipherString and Curves Selection-server
-client = 21-Ed25519 CipherString and Curves Selection-client
-
-[21-Ed25519 CipherString and Curves Selection-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
-MaxProtocol = TLSv1.2
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[21-Ed25519 CipherString and Curves Selection-client]
-CipherString = aECDSA
-Curves = X25519
-MaxProtocol = TLSv1.2
-SignatureAlgorithms = ECDSA+SHA256:ed25519
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
-VerifyMode = Peer
-
-[test-21]
-ExpectedResult = Success
-ExpectedServerCertType = Ed25519
-ExpectedServerSignType = Ed25519
-
-
-# ===========================================================
-
-[22-Ed448 CipherString and Curves Selection]
-ssl_conf = 22-Ed448 CipherString and Curves Selection-ssl
-
-[22-Ed448 CipherString and Curves Selection-ssl]
-server = 22-Ed448 CipherString and Curves Selection-server
-client = 22-Ed448 CipherString and Curves Selection-client
-
-[22-Ed448 CipherString and Curves Selection-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
-ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
-ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
-Ed25519.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed25519-cert.pem
-Ed25519.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed25519-key.pem
-Ed448.Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
-Ed448.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
-MaxProtocol = TLSv1.2
-PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-
-[22-Ed448 CipherString and Curves Selection-client]
-CipherString = aECDSA
-Curves = X448
-MaxProtocol = TLSv1.2
-SignatureAlgorithms = ECDSA+SHA256:ed448
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem
-VerifyMode = Peer
-
-[test-22]
-ExpectedResult = Success
-ExpectedServerCertType = Ed448
-ExpectedServerSignType = Ed448
 
 

trunk/src/libs/openssl-3.1.7/test/ssl-tests/20-cert-select.cnf.in

@@ -330 +330 @@
     },
     {
+        name => "Ed25519 CipherString and Curves Selection",
+        server => $server,
+        client => {
+            "CipherString" => "aECDSA",
+            "MaxProtocol" => "TLSv1.2",
+            "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
+            # Excluding P-256 from the supported curves list means server
+            # certificate should be Ed25519 and not P-256
+            "Curves" => "X25519"
+        },
+        test   => {
+            "ExpectedServerCertType" =>, "Ed25519",
+            "ExpectedServerSignType" =>, "Ed25519",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "Ed448 CipherString and Curves Selection",
+        server => $server,
+        client => {
+            "CipherString" => "aECDSA",
+            "MaxProtocol" => "TLSv1.2",
+            "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
+            "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
+            # Excluding P-256 from the supported curves list means server
+            # certificate should be Ed25519 and not P-256
+            "Curves" => "X448"
+        },
+        test   => {
+            "ExpectedServerCertType" =>, "Ed448",
+            "ExpectedServerSignType" =>, "Ed448",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
         name => "TLS 1.2 Ed25519 Client Auth",
         server => {
@@ -409 +444 @@
             # Note: certificate_authorities not sent for TLS < 1.3
             "ExpectedServerCANames" =>, "empty",
-            "ExpectedResult" => "Success"
-        },
-    },
-    {
-        name => "Ed25519 CipherString and Curves Selection",
-        server => $server,
-        client => {
-            "CipherString" => "aECDSA",
-            "MaxProtocol" => "TLSv1.2",
-            "SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
-            # Excluding P-256 from the supported curves list means server
-            # certificate should be Ed25519 and not P-256
-            "Curves" => "X25519"
-        },
-        test   => {
-            "ExpectedServerCertType" =>, "Ed25519",
-            "ExpectedServerSignType" =>, "Ed25519",
-            "ExpectedResult" => "Success"
-        },
-    },
-    {
-        name => "Ed448 CipherString and Curves Selection",
-        server => $server,
-        client => {
-            "CipherString" => "aECDSA",
-            "MaxProtocol" => "TLSv1.2",
-            "SignatureAlgorithms" => "ECDSA+SHA256:ed448",
-            "VerifyCAFile" => test_pem("root-ed448-cert.pem"),
-            # Excluding P-256 from the supported curves list means server
-            # certificate should be Ed25519 and not P-256
-            "Curves" => "X448"
-        },
-        test   => {
-            "ExpectedServerCertType" =>, "Ed448",
-            "ExpectedServerSignType" =>, "Ed448",
             "ExpectedResult" => "Success"
         },

trunk/src/libs/openssl-3.1.7/test/ssl-tests/28-seclevel.cnf.in

@@ -1 +1 @@
 # -*- mode: perl; -*-
-# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -57 +57 @@
                     "VerifyCAFile" => test_pem("root-ed448-cert.pem") },
         test   => { "ExpectedResult" => "ServerFail" },
-    }
-);
-
-our @tests_ec_non_fips = (
+    },
     {
         name => "SECLEVEL 3 with P-384 key, X25519 ECDHE",
@@ -85 +82 @@
 );
 
-push @tests_ec, @tests_ec_non_fips unless $fips_mode;
 push @tests, @tests_ec unless disabled("ec");
 push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");

trunk/src/libs/openssl-3.1.7/test/sslapitest.c

@@ -1 +1 @@
 /*
- * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -2410 +2410 @@
 }
 
+
 #ifndef OSSL_NO_USABLE_TLS1_3
 static SSL_SESSION *sesscache[6];
@@ -3497 +3498 @@
 }
 
-static int check_early_data_timeout(time_t timer)
-{
-    int res = 0;
-
-    /*
-     * Early data is time sensitive. We have an approx 8 second allowance
-     * between writing the early data and reading it. If we exceed that time
-     * then this test will fail. This can sometimes (rarely) occur in normal CI
-     * operation. We can try and detect this and just ignore the result of this
-     * test if it has taken too long. We assume anything over 7 seconds is too
-     * long
-     */
-    timer = time(NULL) - timer;
-    if (timer >= 7)
-        res = TEST_skip("Test took too long, ignoring result");
-
-    return res;
-}
-
 static int test_early_data_read_write(int idx)
 {
@@ -3525 +3507 @@
     size_t readbytes, written, eoedlen, rawread, rawwritten;
     BIO *rbio;
-    time_t timer;
 
     if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
@@ -3533 +3514 @@
 
     /* Write and read some early data */
-    timer = time(NULL);
     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
                                         &written))
-            || !TEST_size_t_eq(written, strlen(MSG1)))
-        goto end;
-
-    if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
-                                         &readbytes),
-                     SSL_READ_EARLY_DATA_SUCCESS)) {
-        testresult = check_early_data_timeout(timer);
-        goto end;
-    }
-
-    if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
+            || !TEST_size_t_eq(written, strlen(MSG1))
+            || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
+                                                sizeof(buf), &readbytes),
+                            SSL_READ_EARLY_DATA_SUCCESS)
+            || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
                             SSL_EARLY_DATA_ACCEPTED))
@@ -3763 +3737 @@
     size_t readbytes, written;
     unsigned char buf[20];
-    time_t timer;
 
     allow_ed_cb_called = 0;
@@ -3818 +3791 @@
 
     /* Write and read some early data */
-    timer = time(NULL);
     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
                                         &written))
@@ -3839 +3811 @@
         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
                                              &readbytes),
-                         SSL_READ_EARLY_DATA_SUCCESS)) {
-            testresult = check_early_data_timeout(timer);
-            goto end;
-        }
-        if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
+                         SSL_READ_EARLY_DATA_SUCCESS)
+                || !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
                    /*
                     * Server will have sent its flight so client can now send
@@ -3946 +3915 @@
             goto end;
 #else
-        if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
+        if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
             goto end;
 #endif
@@ -4360 +4329 @@
             goto end;
     } else {
-        time_t timer = time(NULL);
-
         if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
                                             &written)))
@@ -4367 +4334 @@
 
         if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
-                                             &readbytes), readearlyres)) {
-            testresult = check_early_data_timeout(timer);
-            goto end;
-        }
-
-        if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS
+                                             &readbytes), readearlyres)
+                || (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
                     && !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
                 || !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
@@ -4410 +4373 @@
     size_t readbytes, written;
     const SSL_CIPHER *cipher;
-    time_t timer;
     const char *cipher_str[] = {
         TLS1_3_RFC_AES_128_GCM_SHA256,
@@ -4462 +4424 @@
 
     SSL_set_connect_state(clientssl);
-    timer = time(NULL);
     if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
                                         &written)))
@@ -4469 +4430 @@
     if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
                                          &readbytes),
-                                         SSL_READ_EARLY_DATA_SUCCESS)) {
-        testresult = check_early_data_timeout(timer);
-        goto end;
-    }
-
-    if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
+                                         SSL_READ_EARLY_DATA_SUCCESS)
+            || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
             || !TEST_int_eq(SSL_get_early_data_status(serverssl),
                                                       SSL_EARLY_DATA_ACCEPTED)
@@ -4915 +4872 @@
             break;
         case 4:
-            if (is_fips)
-                return TEST_skip("X25519 might not be supported by fips provider.");
             kexch_alg = NID_X25519;
             kexch_name0 = "x25519";
             break;
         case 5:
-            if (is_fips)
-                return TEST_skip("X448 might not be supported by fips provider.");
             kexch_alg = NID_X448;
             kexch_name0 = "x448";
@@ -5137 +5090 @@
         expectednid = kexch_alg;
 
-    if (is_fips && (kexch_alg == NID_X25519 || kexch_alg == NID_X448))
-        return TEST_skip("X25519 and X448 might not be available in fips provider.");
-
     if (!istls13)
         max_version = TLS1_2_VERSION;
@@ -5561 +5511 @@
         goto end;
 #else
-    if (!TEST_true(SSL_set1_groups_list(serverssl, "P-384")))
+    if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256")))
         goto end;
 #endif
@@ -7525 +7475 @@
         size_t written, readbytes;
         unsigned char buf[80];
-        time_t timer;
 
         /* early_data tests */
@@ -7540 +7489 @@
 
         /* Write and read some early data and then complete the connection */
-        timer = time(NULL);
         if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
                                             &written))
-                || !TEST_size_t_eq(written, strlen(MSG1)))
-            goto end;
-
-        if (!TEST_int_eq(SSL_read_early_data(serverssl, buf,
-                                             sizeof(buf), &readbytes),
-                         SSL_READ_EARLY_DATA_SUCCESS)) {
-            testresult = check_early_data_timeout(timer);
-            goto end;
-        }
-
-        if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
+                || !TEST_size_t_eq(written, strlen(MSG1))
+                || !TEST_int_eq(SSL_read_early_data(serverssl, buf,
+                                                    sizeof(buf), &readbytes),
+                                SSL_READ_EARLY_DATA_SUCCESS)
+                || !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
                 || !TEST_int_eq(SSL_get_early_data_status(serverssl),
                                 SSL_EARLY_DATA_ACCEPTED)
@@ -9021 +8963 @@
 
 /*
- * Test that a session cache overflow works as expected
- * Test 0: TLSv1.3, timeout on new session later than old session
- * Test 1: TLSv1.2, timeout on new session later than old session
- * Test 2: TLSv1.3, timeout on new session earlier than old session
- * Test 3: TLSv1.2, timeout on new session earlier than old session
- */
-#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
-static int test_session_cache_overflow(int idx)
-{
-    SSL_CTX *sctx = NULL, *cctx = NULL;
-    SSL *serverssl = NULL, *clientssl = NULL;
-    int testresult = 0;
-    SSL_SESSION *sess = NULL;
-
-#ifdef OSSL_NO_USABLE_TLS1_3
-    /* If no TLSv1.3 available then do nothing in this case */
-    if (idx % 2 == 0)
-        return TEST_skip("No TLSv1.3 available");
-#endif
-#ifdef OPENSSL_NO_TLS1_2
-    /* If no TLSv1.2 available then do nothing in this case */
-    if (idx % 2 == 1)
-        return TEST_skip("No TLSv1.2 available");
-#endif
-
-    if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
-                                       TLS_client_method(), TLS1_VERSION,
-                                       (idx % 2 == 0) ? TLS1_3_VERSION
-                                                      : TLS1_2_VERSION,
-                                       &sctx, &cctx, cert, privkey))
-            || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET)))
-        goto end;
-
-    SSL_CTX_sess_set_get_cb(sctx, get_session_cb);
-    get_sess_val = NULL;
-
-    SSL_CTX_sess_set_cache_size(sctx, 1);
-
-    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
-                                      NULL, NULL)))
-        goto end;
-
-    if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
-        goto end;
-
-    if (idx > 1) {
-        sess = SSL_get_session(serverssl);
-        if (!TEST_ptr(sess))
-            goto end;
-
-        /*
-         * Cause this session to have a longer timeout than the next session to
-         * be added.
-         */
-        if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX / 2))) {
-            sess = NULL;
-            goto end;
-        }
-        sess = NULL;
-    }
-
-    SSL_shutdown(serverssl);
-    SSL_shutdown(clientssl);
-    SSL_free(serverssl);
-    SSL_free(clientssl);
-    serverssl = clientssl = NULL;
-
-    /*
-     * Session cache size is 1 and we already populated the cache with a session
-     * so the next connection should cause an overflow.
-     */
-
-    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
-                                      NULL, NULL)))
-        goto end;
-
-    if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
-        goto end;
-
-    /*
-     * The session we just negotiated may have been already removed from the
-     * internal cache - but we will return it anyway from our external cache.
-     */
-    get_sess_val = SSL_get_session(serverssl);
-    if (!TEST_ptr(get_sess_val))
-        goto end;
-    sess = SSL_get1_session(clientssl);
-    if (!TEST_ptr(sess))
-        goto end;
-
-    SSL_shutdown(serverssl);
-    SSL_shutdown(clientssl);
-    SSL_free(serverssl);
-    SSL_free(clientssl);
-    serverssl = clientssl = NULL;
-
-    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
-                                      NULL, NULL)))
-        goto end;
-
-    if (!TEST_true(SSL_set_session(clientssl, sess)))
-        goto end;
-
-    if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
-        goto end;
-
-    testresult = 1;
-
- end:
-    SSL_free(serverssl);
-    SSL_free(clientssl);
-    SSL_CTX_free(sctx);
-    SSL_CTX_free(cctx);
-    SSL_SESSION_free(sess);
-
-    return testresult;
-}
-#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */
-
-/*
  * Test 0: Client sets servername and server acknowledges it (TLSv1.2)
  * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2)
@@ -9455 +9277 @@
     /* Check that we are not impacted by a provider without any groups */
     OSSL_PROVIDER *legacyprov = OSSL_PROVIDER_load(libctx, "legacy");
-    const char *group_name = idx == 0 ? "xorkemgroup" : "xorgroup";
+    const char *group_name = idx == 0 ? "xorgroup" : "xorkemgroup";
 
     if (!TEST_ptr(tlsprov))
         goto end;
+
+    if (legacyprov == NULL) {
+        /*
+         * In this case we assume we've been built with "no-legacy" and skip
+         * this test (there is no OPENSSL_NO_LEGACY)
+         */
+        testresult = 1;
+        goto end;
+    }
 
     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
@@ -9469 +9300 @@
         goto end;
 
-    /* ensure GROUPLIST_INCREMENT (=40) logic triggers: */
-    if (!TEST_true(SSL_set1_groups_list(serverssl, "xorgroup:xorkemgroup:dummy1:dummy2:dummy3:dummy4:dummy5:dummy6:dummy7:dummy8:dummy9:dummy10:dummy11:dummy12:dummy13:dummy14:dummy15:dummy16:dummy17:dummy18:dummy19:dummy20:dummy21:dummy22:dummy23:dummy24:dummy25:dummy26:dummy27:dummy28:dummy29:dummy30:dummy31:dummy32:dummy33:dummy34:dummy35:dummy36:dummy37:dummy38:dummy39:dummy40:dummy41:dummy42:dummy43"))
-    /* removing a single algorithm from the list makes the test pass */
+    if (!TEST_true(SSL_set1_groups_list(serverssl, group_name))
             || !TEST_true(SSL_set1_groups_list(clientssl, group_name)))
         goto end;
@@ -10494 +10323 @@
 
 #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
+
+static ENGINE *load_dasync(void)
+{
+    ENGINE *e;
+
+    if (!TEST_ptr(e = ENGINE_by_id("dasync")))
+        return NULL;
+
+    if (!TEST_true(ENGINE_init(e))) {
+        ENGINE_free(e);
+        return NULL;
+    }
+
+    if (!TEST_true(ENGINE_register_ciphers(e))) {
+        ENGINE_free(e);
+        return NULL;
+    }
+
+    return e;
+}
+
 /*
  * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not
@@ -10785 +10635 @@
     BIO_free(tmp);
     set_always_retry_err_val(-1);
-    return testresult;
-}
-
-struct resume_servername_cb_data {
-    int i;
-    SSL_CTX *cctx;
-    SSL_CTX *sctx;
-    SSL_SESSION *sess;
-    int recurse;
-};
-
-/*
- * Servername callback. We use it here to run another complete handshake using
- * the same session - and mark the session as not_resuamble at the end
- */
-static int resume_servername_cb(SSL *s, int *ad, void *arg)
-{
-    struct resume_servername_cb_data *cbdata = arg;
-    SSL *serverssl = NULL, *clientssl = NULL;
-    int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-
-    if (cbdata->recurse)
-        return SSL_TLSEXT_ERR_ALERT_FATAL;
-
-    if ((cbdata->i % 3) != 1)
-        return SSL_TLSEXT_ERR_OK;
-
-    cbdata->recurse = 1;
-
-    if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl,
-                                      &clientssl, NULL, NULL))
-            || !TEST_true(SSL_set_session(clientssl, cbdata->sess)))
-        goto end;
-
-    ERR_set_mark();
-    /*
-     * We expect this to fail - because the servername cb will fail. This will
-     * mark the session as not_resumable.
-     */
-    if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) {
-        ERR_clear_last_mark();
-        goto end;
-    }
-    ERR_pop_to_mark();
-
-    ret = SSL_TLSEXT_ERR_OK;
- end:
-    SSL_free(serverssl);
-    SSL_free(clientssl);
-    cbdata->recurse = 0;
-    return ret;
-}
-
-/*
- * Test multiple resumptions and cache size handling
- * Test 0: TLSv1.3 (max_early_data set)
- * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set)
- * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set)
- * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes)
- * Test 4: TLSv1.2
- */
-static int test_multi_resume(int idx)
-{
-    SSL_CTX *sctx = NULL, *cctx = NULL;
-    SSL *serverssl = NULL, *clientssl = NULL;
-    SSL_SESSION *sess = NULL;
-    int max_version = TLS1_3_VERSION;
-    int i, testresult = 0;
-    struct resume_servername_cb_data cbdata;
-
-#if defined(OPENSSL_NO_TLS1_2)
-    if (idx == 4)
-        return TEST_skip("TLSv1.2 is disabled in this build");
-#else
-    if (idx == 4)
-        max_version = TLS1_2_VERSION;
-#endif
-#if defined(OSSL_NO_USABLE_TLS1_3)
-    if (idx != 4)
-        return TEST_skip("No usable TLSv1.3 in this build");
-#endif
-
-    if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
-                                       TLS_client_method(), TLS1_VERSION,
-                                       max_version, &sctx, &cctx, cert,
-                                       privkey)))
-        goto end;
-
-    /*
-     * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for
-     * replay protection), or if SSL_OP_NO_TICKET is in use
-     */
-    if (idx == 0 || idx == 2)  {
-        if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024)))
-            goto end;
-    }
-    if (idx == 1 || idx == 2 || idx == 3)
-        SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET);
-
-    SSL_CTX_sess_set_cache_size(sctx, 5);
-
-    if (idx == 3) {
-        SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb);
-        SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata);
-        cbdata.cctx = cctx;
-        cbdata.sctx = sctx;
-        cbdata.recurse = 0;
-    }
-
-    for (i = 0; i < 30; i++) {
-        if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
-                                                NULL, NULL))
-                || !TEST_true(SSL_set_session(clientssl, sess)))
-            goto end;
-
-        /*
-         * Check simultaneous resumes. We pause the connection part way through
-         * the handshake by (mis)using the servername_cb. The pause occurs after
-         * session resumption has already occurred, but before any session
-         * tickets have been issued. While paused we run another complete
-         * handshake resuming the same session.
-         */
-        if (idx == 3) {
-            cbdata.i = i;
-            cbdata.sess = sess;
-        }
-
-        /*
-         * Recreate a bug where dynamically changing the max_early_data value
-         * can cause sessions in the session cache which cannot be deleted.
-         */
-        if ((idx == 0 || idx == 2) && (i % 3) == 2)
-            SSL_set_max_early_data(serverssl, 0);
-
-        if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
-            goto end;
-
-        if (sess == NULL || (idx == 0 && (i % 3) == 2)) {
-            if (!TEST_false(SSL_session_reused(clientssl)))
-                goto end;
-        } else {
-            if (!TEST_true(SSL_session_reused(clientssl)))
-                goto end;
-        }
-        SSL_SESSION_free(sess);
-
-        /* Do a full handshake, followed by two resumptions */
-        if ((i % 3) == 2) {
-            sess = NULL;
-        } else {
-            if (!TEST_ptr((sess = SSL_get1_session(clientssl))))
-                goto end;
-        }
-
-        SSL_shutdown(clientssl);
-        SSL_shutdown(serverssl);
-        SSL_free(serverssl);
-        SSL_free(clientssl);
-        serverssl = clientssl = NULL;
-    }
-
-    /* We should never exceed the session cache size limit */
-    if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5))
-        goto end;
-
-    testresult = 1;
- end:
-    SSL_free(serverssl);
-    SSL_free(clientssl);
-    SSL_CTX_free(sctx);
-    SSL_CTX_free(cctx);
-    SSL_SESSION_free(sess);
-    return testresult;
-}
-
-static struct next_proto_st {
-    int serverlen;
-    unsigned char server[40];
-    int clientlen;
-    unsigned char client[40];
-    int expected_ret;
-    size_t selectedlen;
-    unsigned char selected[40];
-} next_proto_tests[] = {
-    {
-        4, { 3, 'a', 'b', 'c' },
-        4, { 3, 'a', 'b', 'c' },
-        OPENSSL_NPN_NEGOTIATED,
-        3, { 'a', 'b', 'c' }
-    },
-    {
-        7, { 3, 'a', 'b', 'c', 2, 'a', 'b' },
-        4, { 3, 'a', 'b', 'c' },
-        OPENSSL_NPN_NEGOTIATED,
-        3, { 'a', 'b', 'c' }
-    },
-    {
-        7, { 2, 'a', 'b', 3, 'a', 'b', 'c', },
-        4, { 3, 'a', 'b', 'c' },
-        OPENSSL_NPN_NEGOTIATED,
-        3, { 'a', 'b', 'c' }
-    },
-    {
-        4, { 3, 'a', 'b', 'c' },
-        7, { 3, 'a', 'b', 'c', 2, 'a', 'b', },
-        OPENSSL_NPN_NEGOTIATED,
-        3, { 'a', 'b', 'c' }
-    },
-    {
-        4, { 3, 'a', 'b', 'c' },
-        7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
-        OPENSSL_NPN_NEGOTIATED,
-        3, { 'a', 'b', 'c' }
-    },
-    {
-        7, { 2, 'b', 'c', 3, 'a', 'b', 'c' },
-        7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
-        OPENSSL_NPN_NEGOTIATED,
-        3, { 'a', 'b', 'c' }
-    },
-    {
-        10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' },
-        7, { 2, 'a', 'b', 3, 'a', 'b', 'c'},
-        OPENSSL_NPN_NEGOTIATED,
-        3, { 'a', 'b', 'c' }
-    },
-    {
-        4, { 3, 'b', 'c', 'd' },
-        4, { 3, 'a', 'b', 'c' },
-        OPENSSL_NPN_NO_OVERLAP,
-        3, { 'a', 'b', 'c' }
-    },
-    {
-        0, { 0 },
-        4, { 3, 'a', 'b', 'c' },
-        OPENSSL_NPN_NO_OVERLAP,
-        3, { 'a', 'b', 'c' }
-    },
-    {
-        -1, { 0 },
-        4, { 3, 'a', 'b', 'c' },
-        OPENSSL_NPN_NO_OVERLAP,
-        3, { 'a', 'b', 'c' }
-    },
-    {
-        4, { 3, 'a', 'b', 'c' },
-        0, { 0 },
-        OPENSSL_NPN_NO_OVERLAP,
-        0, { 0 }
-    },
-    {
-        4, { 3, 'a', 'b', 'c' },
-        -1, { 0 },
-        OPENSSL_NPN_NO_OVERLAP,
-        0, { 0 }
-    },
-    {
-        3, { 3, 'a', 'b', 'c' },
-        4, { 3, 'a', 'b', 'c' },
-        OPENSSL_NPN_NO_OVERLAP,
-        3, { 'a', 'b', 'c' }
-    },
-    {
-        4, { 3, 'a', 'b', 'c' },
-        3, { 3, 'a', 'b', 'c' },
-        OPENSSL_NPN_NO_OVERLAP,
-        0, { 0 }
-    }
-};
-
-static int test_select_next_proto(int idx)
-{
-    struct next_proto_st *np = &next_proto_tests[idx];
-    int ret = 0;
-    unsigned char *out, *client, *server;
-    unsigned char outlen;
-    unsigned int clientlen, serverlen;
-
-    if (np->clientlen == -1) {
-        client = NULL;
-        clientlen = 0;
-    } else {
-        client = np->client;
-        clientlen = (unsigned int)np->clientlen;
-    }
-    if (np->serverlen == -1) {
-        server = NULL;
-        serverlen = 0;
-    } else {
-        server = np->server;
-        serverlen = (unsigned int)np->serverlen;
-    }
-
-    if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen,
-                                           client, clientlen),
-                     np->expected_ret))
-        goto err;
-
-    if (np->selectedlen == 0) {
-        if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0))
-            goto err;
-    } else {
-        if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen))
-            goto err;
-    }
-
-    ret = 1;
- err:
-    return ret;
-}
-
-static const unsigned char fooprot[] = {3, 'f', 'o', 'o' };
-static const unsigned char barprot[] = {3, 'b', 'a', 'r' };
-
-#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
-static int npn_advert_cb(SSL *ssl, const unsigned char **out,
-                         unsigned int *outlen, void *arg)
-{
-    int *idx = (int *)arg;
-
-    switch (*idx) {
-    default:
-    case 0:
-        *out = fooprot;
-        *outlen = sizeof(fooprot);
-        return SSL_TLSEXT_ERR_OK;
-
-    case 1:
-        *outlen = 0;
-        return SSL_TLSEXT_ERR_OK;
-
-    case 2:
-        return SSL_TLSEXT_ERR_NOACK;
-    }
-}
-
-static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen,
-                         const unsigned char *in, unsigned int inlen, void *arg)
-{
-    int *idx = (int *)arg;
-
-    switch (*idx) {
-    case 0:
-    case 1:
-        *out = (unsigned char *)(fooprot + 1);
-        *outlen = *fooprot;
-        return SSL_TLSEXT_ERR_OK;
-
-    case 3:
-        *out = (unsigned char *)(barprot + 1);
-        *outlen = *barprot;
-        return SSL_TLSEXT_ERR_OK;
-
-    case 4:
-        *outlen = 0;
-        return SSL_TLSEXT_ERR_OK;
-
-    default:
-    case 2:
-        return SSL_TLSEXT_ERR_ALERT_FATAL;
-    }
-}
-
-/*
- * Test the NPN callbacks
- * Test 0: advert = foo, select = foo
- * Test 1: advert = <empty>, select = foo
- * Test 2: no advert
- * Test 3: advert = foo, select = bar
- * Test 4: advert = foo, select = <empty> (should fail)
- */
-static int test_npn(int idx)
-{
-    SSL_CTX *sctx = NULL, *cctx = NULL;
-    SSL *serverssl = NULL, *clientssl = NULL;
-    int testresult = 0;
-
-    if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
-                                       TLS_client_method(), 0, TLS1_2_VERSION,
-                                       &sctx, &cctx, cert, privkey)))
-        goto end;
-
-    SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx);
-    SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx);
-
-    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
-                                      NULL)))
-        goto end;
-
-    if (idx == 4) {
-        /* We don't allow empty selection of NPN, so this should fail */
-        if (!TEST_false(create_ssl_connection(serverssl, clientssl,
-                                              SSL_ERROR_NONE)))
-            goto end;
-    } else {
-        const unsigned char *prot;
-        unsigned int protlen;
-
-        if (!TEST_true(create_ssl_connection(serverssl, clientssl,
-                                             SSL_ERROR_NONE)))
-            goto end;
-
-        SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen);
-        switch (idx) {
-        case 0:
-        case 1:
-            if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
-                goto end;
-            break;
-        case 2:
-            if (!TEST_uint_eq(protlen, 0))
-                goto end;
-            break;
-        case 3:
-            if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot))
-                goto end;
-            break;
-        default:
-            TEST_error("Should not get here");
-            goto end;
-        }
-    }
-
-    testresult = 1;
- end:
-    SSL_free(serverssl);
-    SSL_free(clientssl);
-    SSL_CTX_free(sctx);
-    SSL_CTX_free(cctx);
-
-    return testresult;
-}
-#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */
-
-static int alpn_select_cb2(SSL *ssl, const unsigned char **out,
-                           unsigned char *outlen, const unsigned char *in,
-                           unsigned int inlen, void *arg)
-{
-    int *idx = (int *)arg;
-
-    switch (*idx) {
-    case 0:
-        *out = (unsigned char *)(fooprot + 1);
-        *outlen = *fooprot;
-        return SSL_TLSEXT_ERR_OK;
-
-    case 2:
-        *out = (unsigned char *)(barprot + 1);
-        *outlen = *barprot;
-        return SSL_TLSEXT_ERR_OK;
-
-    case 3:
-        *outlen = 0;
-        return SSL_TLSEXT_ERR_OK;
-
-    default:
-    case 1:
-        return SSL_TLSEXT_ERR_ALERT_FATAL;
-    }
-    return 0;
-}
-
-/*
- * Test the ALPN callbacks
- * Test 0: client = foo, select = foo
- * Test 1: client = <empty>, select = none
- * Test 2: client = foo, select = bar (should fail)
- * Test 3: client = foo, select = <empty> (should fail)
- */
-static int test_alpn(int idx)
-{
-    SSL_CTX *sctx = NULL, *cctx = NULL;
-    SSL *serverssl = NULL, *clientssl = NULL;
-    int testresult = 0;
-    const unsigned char *prots = fooprot;
-    unsigned int protslen = sizeof(fooprot);
-
-    if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
-                                       TLS_client_method(), 0, 0,
-                                       &sctx, &cctx, cert, privkey)))
-        goto end;
-
-    SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx);
-
-    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
-                                      NULL)))
-        goto end;
-
-    if (idx == 1) {
-        prots = NULL;
-        protslen = 0;
-    }
-
-    /* SSL_set_alpn_protos returns 0 for success! */
-    if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen)))
-        goto end;
-
-    if (idx == 2 || idx == 3) {
-        /* We don't allow empty selection of NPN, so this should fail */
-        if (!TEST_false(create_ssl_connection(serverssl, clientssl,
-                                              SSL_ERROR_NONE)))
-            goto end;
-    } else {
-        const unsigned char *prot;
-        unsigned int protlen;
-
-        if (!TEST_true(create_ssl_connection(serverssl, clientssl,
-                                             SSL_ERROR_NONE)))
-            goto end;
-
-        SSL_get0_alpn_selected(clientssl, &prot, &protlen);
-        switch (idx) {
-        case 0:
-            if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot))
-                goto end;
-            break;
-        case 1:
-            if (!TEST_uint_eq(protlen, 0))
-                goto end;
-            break;
-        default:
-            TEST_error("Should not get here");
-            goto end;
-        }
-    }
-
-    testresult = 1;
- end:
-    SSL_free(serverssl);
-    SSL_free(clientssl);
-    SSL_CTX_free(sctx);
-    SSL_CTX_free(cctx);
-
     return testresult;
 }
@@ -11606 +10923 @@
     ADD_TEST(test_set_verify_cert_store_ssl);
     ADD_ALL_TESTS(test_session_timeout, 1);
-#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)
-    ADD_ALL_TESTS(test_session_cache_overflow, 4);
-#endif
     ADD_TEST(test_load_dhfile);
 #ifndef OSSL_NO_USABLE_TLS1_3
@@ -11621 +10935 @@
 #endif
     ADD_ALL_TESTS(test_handshake_retry, 16);
-    ADD_ALL_TESTS(test_multi_resume, 5);
-    ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests));
-#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG)
-    ADD_ALL_TESTS(test_npn, 5);
-#endif
-    ADD_ALL_TESTS(test_alpn, 4);
     return 1;
 

trunk/src/libs/openssl-3.1.7/test/sslbuffertest.c

@@ -1 +1 @@
 /*
- * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License");
@@ -9 +9 @@
  */
 
-/*
- * We need access to the deprecated low level Engine APIs for legacy purposes
- * when the deprecated calls are not hidden
- */
-#ifndef OPENSSL_NO_DEPRECATED_3_0
-# define OPENSSL_SUPPRESS_DEPRECATED
-#endif
-
 #include <string.h>
 #include <openssl/ssl.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
-#include <openssl/engine.h>
 
 #include "internal/packet.h"
@@ -160 +151 @@
 }
 
-/*
- * Test that attempting to free the buffers at points where they cannot be freed
- * works as expected
- * Test 0: Attempt to free buffers after a full record has been processed, but
- *         the application has only performed a partial read
- * Test 1: Attempt to free buffers after only a partial record header has been
- *         received
- * Test 2: Attempt to free buffers after a full record header but no record body
- * Test 3: Attempt to free buffers after a full record hedaer and partial record
- *         body
- * Test 4-7: We repeat tests 0-3 but including data from a second pipelined
- *           record
- */
-static int test_free_buffers(int test)
-{
-    int result = 0;
-    SSL *serverssl = NULL, *clientssl = NULL;
-    const char testdata[] = "Test data";
-    char buf[120];
-    size_t written, readbytes;
-    int i, pipeline = test > 3;
-    ENGINE *e = NULL;
-
-    if (pipeline) {
-        e = load_dasync();
-        if (e == NULL)
-            goto end;
-        test -= 4;
-    }
-
-    if (!TEST_true(create_ssl_objects(serverctx, clientctx, &serverssl,
-                                      &clientssl, NULL, NULL)))
-        goto end;
-
-    if (pipeline) {
-        if (!TEST_true(SSL_set_cipher_list(serverssl, "AES128-SHA"))
-                || !TEST_true(SSL_set_max_proto_version(serverssl,
-                                                        TLS1_2_VERSION))
-                || !TEST_true(SSL_set_max_pipelines(serverssl, 2)))
-            goto end;
-    }
-
-    if (!TEST_true(create_ssl_connection(serverssl, clientssl,
-                                         SSL_ERROR_NONE)))
-        goto end;
-
-    /*
-     * For the non-pipeline case we write one record. For pipelining we write
-     * two records.
-     */
-    for (i = 0; i <= pipeline; i++) {
-        if (!TEST_true(SSL_write_ex(clientssl, testdata, strlen(testdata),
-                                    &written)))
-            goto end;
-    }
-
-    if (test == 0) {
-        size_t readlen = 1;
-
-        /*
-         * Deliberately only read the first byte - so the remaining bytes are
-         * still buffered. In the pipelining case we read as far as the first
-         * byte from the second record.
-         */
-        if (pipeline)
-            readlen += strlen(testdata);
-
-        if (!TEST_true(SSL_read_ex(serverssl, buf, readlen, &readbytes))
-                || !TEST_size_t_eq(readlen, readbytes))
-            goto end;
-    } else {
-        BIO *tmp;
-        size_t partial_len;
-
-        /* Remove all the data that is pending for read by the server */
-        tmp = SSL_get_rbio(serverssl);
-        if (!TEST_true(BIO_read_ex(tmp, buf, sizeof(buf), &readbytes))
-                || !TEST_size_t_lt(readbytes, sizeof(buf))
-                || !TEST_size_t_gt(readbytes, SSL3_RT_HEADER_LENGTH))
-            goto end;
-
-        switch(test) {
-        case 1:
-            partial_len = SSL3_RT_HEADER_LENGTH - 1;
-            break;
-        case 2:
-            partial_len = SSL3_RT_HEADER_LENGTH;
-            break;
-        case 3:
-            partial_len = readbytes - 1;
-            break;
-        default:
-            TEST_error("Invalid test index");
-            goto end;
-        }
-
-        if (pipeline) {
-            /* We happen to know the first record is 57 bytes long */
-            const size_t first_rec_len = 57;
-
-            if (test != 3)
-                partial_len += first_rec_len;
-
-            /*
-             * Sanity check. If we got the record len right then this should
-             * never fail.
-             */
-            if (!TEST_int_eq(buf[first_rec_len], SSL3_RT_APPLICATION_DATA))
-                goto end;
-        }
-
-        /*
-         * Put back just the partial record (plus the whole initial record in
-         * the pipelining case)
-         */
-        if (!TEST_true(BIO_write_ex(tmp, buf, partial_len, &written)))
-            goto end;
-
-        if (pipeline) {
-            /*
-             * Attempt a read. This should pass but only return data from the
-             * first record. Only a partial record is available for the second
-             * record.
-             */
-            if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf),
-                                        &readbytes))
-                    || !TEST_size_t_eq(readbytes, strlen(testdata)))
-                goto end;
-        } else {
-            /*
-            * Attempt a read. This should fail because only a partial record is
-            * available.
-            */
-            if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf),
-                                        &readbytes)))
-                goto end;
-        }
-    }
-
-    /*
-     * Attempting to free the buffers at this point should fail because they are
-     * still in use
-     */
-    if (!TEST_false(SSL_free_buffers(serverssl)))
-        goto end;
-
-    result = 1;
- end:
-    SSL_free(clientssl);
-    SSL_free(serverssl);
-#ifndef OPENSSL_NO_DYNAMIC_ENGINE
-    if (e != NULL) {
-        ENGINE_unregister_ciphers(e);
-        ENGINE_finish(e);
-        ENGINE_free(e);
-    }
-#endif
-    return result;
-}
-
 OPT_TEST_DECLARE_USAGE("certfile privkeyfile\n")
 
@@ -343 +174 @@
 
     ADD_ALL_TESTS(test_func, 9);
-#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
-    ADD_ALL_TESTS(test_free_buffers, 8);
-#else
-    ADD_ALL_TESTS(test_free_buffers, 4);
-#endif
     return 1;
 }

trunk/src/libs/openssl-3.1.7/test/test.cnf

@@ -73 +73 @@
 emailAddress                    = email field
 emailAddress_value              = [email protected]
-
-[ dirname_sec ]
-C  = UK
-O  = My Organization
-OU = My Unit
-CN = My Name

trunk/src/libs/openssl-3.1.7/test/tls-provider.c

@@ -1 +1 @@
 /*
- * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -186 +186 @@
 
     /* Register our 2 groups */
-    OPENSSL_assert(xor_group.group_id >= 65024
-                   && xor_group.group_id < 65279 - NUM_DUMMY_GROUPS);
     ret = cb(xor_group_params, arg);
     ret &= cb(xor_kemgroup_params, arg);
@@ -199 +197 @@
     for (i = 0; i < NUM_DUMMY_GROUPS; i++) {
         OSSL_PARAM dummygroup[OSSL_NELEM(xor_group_params)];
-        unsigned int dummygroup_id;
 
         memcpy(dummygroup, xor_group_params, sizeof(xor_group_params));
@@ -214 +211 @@
         dummygroup[0].data = dummy_group_names[i];
         dummygroup[0].data_size = strlen(dummy_group_names[i]) + 1;
-        /* assign unique group IDs also to dummy groups for registration */
-        dummygroup_id = 65279 - NUM_DUMMY_GROUPS + i;
-        dummygroup[3].data = (unsigned char*)&dummygroup_id;
         ret &= cb(dummygroup, arg);
     }
@@ -824 +818 @@
     /*
      * Ensure group_id is within the IANA Reserved for private use range
-     * (65024-65279).
-     * Carve out NUM_DUMMY_GROUPS ids for properly registering those.
+     * (65024-65279)
      */
-    group_id %= 65279 - NUM_DUMMY_GROUPS - 65024;
+    group_id %= 65279 - 65024;
     group_id += 65024;
 

trunk/src/libs/openssl-3.1.7/test/v3ext.c

@@ -1 +1 @@
 /*
- * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
@@ -270 +270 @@
     if (!ASN1_OCTET_STRING_set(f1->addressFamily, key, keylen))
         goto end;
-
-    /* Push and transfer memory ownership to stack */
     if (!sk_IPAddressFamily_push(addr, f1))
         goto end;
-    f1 = NULL;
 
     /* Shouldn't be able to canonize this as the len is > 3*/
@@ -280 +277 @@
         goto end;
 
-    /* Pop and free the new stack element */
-    IPAddressFamily_free(sk_IPAddressFamily_pop(addr));
-
-    /* Create a well-formed IPAddressFamily */
+    /* Create a well formed IPAddressFamily */
+    f1 = sk_IPAddressFamily_pop(addr);
+    IPAddressFamily_free(f1);
+
     key[0] = (afi >> 8) & 0xFF;
     key[1] = afi & 0xFF;
@@ -301 +298 @@
     /* Mark this as inheritance so we skip some of the is_canonize checks */
     f1->ipAddressChoice->type = IPAddressChoice_inherit;
-
-    /* Push and transfer memory ownership to stack */
     if (!sk_IPAddressFamily_push(addr, f1))
         goto end;
-    f1 = NULL;
 
     /* Should be able to canonize now */
@@ -313 +307 @@
     testresult = 1;
   end:
-    /* Free stack and any memory owned by detached element */
-    IPAddressFamily_free(f1);
     sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free);
-
     ASN1_OCTET_STRING_free(ip1);
     ASN1_OCTET_STRING_free(ip2);