These were adapted from BoringSSL's regress tests for x509
policy. They are currently marked as expected to fail as
we have not enabled LIBRESSL_HAS_POLICY_DAG by default yet, and
the old tree based policy code from OpenSSL is special.
These tests pass when we build with LIBRESSL_HAS_POLICY_DAG.
Still a work in progress adapting tests from boringssl x509_test.cc
but dropping in here for tb to be able to look at and run as well
since the new stuff still has bugs.
This verifies that we put PSK always last and that the Apache 2 special
does what it is supposed to do. There is also some weak validation of
the Fisher-Yates shuffle that will likely catch errors introduced in
tlsext_randomize_build_order()
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.
ok tb@ claudio@
This currently only covers Ed25519 using the c2sp-testvectors package
and checks that our Ed25519 implementation behaves as expected from a
"ref10" implementation.
This test has Go and c2sp-testvectors as a hard dependency. It will
optionally pick up any OpenSSL package installed on the system and
test that as well.
https://github.com/C2SP/CCTVhttps://github.com/C2SP/CCTV/tree/main/ed25519
A few years back beck introduced REGRESS_SKIP_SLOW dances with the idea
that this should speed up the interop tests for us devs because this also
checked interop between opensslX and opensslY, which we don't particularly
care about. This never really worked. On a mac m1 mini the result is this:
REGRESS_SKIP_SLOW unset
9m56.69s real 3m42.24s user 3m00.70s system
REGRESS_SKIP_SLOW=yes
11m04.61s real 7m29.61s user 1m40.29s system
The problem is that REGRESS_SKIP_SLOW simply wasn't designed to handle
the huge number of tests we have here. There are many nested .for loops
resulting in several thousand tests. Each test has a name of length ~80.
REGRESS_SKIP_SLOW concatenates them into a several hundred kilobytes
long string in REGRESS_SKIP_TARGETS, iterates over all regress targets and
tests with ".if ${REGRESS_SKIP_TARGETS:M${RT}}" if it should skip them.
This means that during a regress run, make spends a lot of time linearly
scanning a huge string.
I ran into this when I added OpenSSL 3.0 tests to the already existing
1.0.2 and 1.1 tests with the result that with REGRESS_SLOW_TARGTS set
it took the better part of an hour while without it it took about 15 min.
The hack here is simply to avoid using REGRESS_SLOW_TARGTES here and
handle the situation differently.
patch, REGRESS_SKIP_SLOW=yes
5m42.32s real 2m09.98s user 1m45.21s system
The real solution would be to fix this in bsd.regress.mk, which someone
who understands make well is very welcome to do. For now, I'm happy with
this.
Debugged with jsing a few months ago
