New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update X509 fuzzer to verify a chain #20243
Conversation
The CI is relevant. |
So it still fails with:
Not sure what's wrong. |
test/recipes/99-test_fuzz_x509.t
Outdated
@@ -15,6 +15,9 @@ use OpenSSL::Test::Utils; | |||
my $fuzzer = "x509"; | |||
setup("test_fuzz_${fuzzer}"); | |||
|
|||
plan skip_all => "This test requires $fuzzer support" | |||
if disabled($fuzzer); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should you check disabled("ocsp")
instead?
Why aren't all the CI jobs running? |
@@ -15,6 +15,9 @@ use OpenSSL::Test::Utils; | |||
my $fuzzer = "x509"; | |||
setup("test_fuzz_${fuzzer}"); | |||
|
|||
plan skip_all => "This test requires $fuzzer support" | |||
if disabled("ocsp"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there no way how the test could be compiled with #ifndef OPENSSL_NO_OCSP?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In theory, yes. Since it's the last part of the file, it will currently then ignore part of the file it reads, and just not cover as much. If at some later point, the test is extended to read more data, the files will not have proper coverage.
This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago |
@kroeckx could you please rebase this? |
This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago |
It add supports for verifying that it's been signed by a CA, and checks the CRL and OCSP status Can find CVE-2022-4203 and CVE-2023-0286
This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago |
Can someone please review this? This has been waiting for review for 8 months now has, significantly increases our fuzz coverage and can detect 2 more CVEs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Not sure about the 1.1.1 branch but LGTM |
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
Looks like this is ready to merge. |
It add supports for verifying that it's been signed by a CA, and checks the CRL and OCSP status Can find CVE-2022-4203 and CVE-2023-0286 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from #20243)
It add supports for verifying that it's been signed by a CA, and checks the CRL and OCSP status Can find CVE-2022-4203 and CVE-2023-0286 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from #20243) (cherry picked from commit 399c2da) (cherry picked from commit 869d95b)
It add supports for verifying that it's been signed by a CA, and checks the CRL and OCSP status Can find CVE-2022-4203 and CVE-2023-0286 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from #20243) (cherry picked from commit 399c2da)
Merged to master, 3.1, 3.0 and 1.1.1. Thank you. A trivial build.info file conflict was fixed during merge to 3.1 and 3.0. The changes needed to rebase this on 1.1.1 look slightly more substantial; would you like to open another PR? |
no please leave 1.1.1 as is it is EOL next week anyway. |
It add supports for verifying that it's been signed by a CA, and checks the CRL and OCSP status Can find CVE-2022-4203 and CVE-2023-0286 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from openssl#20243) (cherry picked from commit 399c2da) (cherry picked from commit 869d95b)
It add supports for verifying that it's been signed by a CA, and checks the CRL and OCSP status
Can find CVE-2022-4203 and CVE-2023-0286