Remove the external BoringSSL test

Fixes #14424 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14682)
2021-03-25 12:46:29 +01:00 · 2021-03-25 12:46:29 +01:00 · cede07dc51
commit cede07dc51
parent 6b2e51dd36
19 changed files with 60 additions and 2864 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -8,7 +8,6 @@ fuzz/corpora/**                         export-ignore
 Configurations/*.norelease.conf         export-ignore
 .*                                      export-ignore
 util/mktar.sh                           export-ignore
 boringssl                               export-ignore
 krb5                                    export-ignore
 pyca-cryptography                       export-ignore
 dev                                     export-ignore
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -200,7 +200,5 @@ jobs:
      run: make test TESTS="test_external_gost_engine"
    - name: test external krb5
      run: make test TESTS="test_external_krb5"
 #   - name: test external boringssl
 #     run: BORING_RUNNER_DIR=$(pwd)/boringssl/ssl/test/runner make test TESTS="test_external_boringssl"
 #   - name: test external pyca
 #     run: make test TESTS="test_external_pyca"
--- a/.gitmodules
+++ b/.gitmodules
@ -1,7 +1,3 @@
 [submodule "boringssl"]
 	path = boringssl
 	url = https://boringssl.googlesource.com/boringssl
 [submodule "pyca.cryptography"]
 	path = pyca-cryptography
 	url = https://github.com/pyca/cryptography.git
--- a/INSTALL.md
+++ b/INSTALL.md
@ -692,7 +692,7 @@ Enable building of integration with external test suites.
 This is a developer option and may not work on all platforms.  The following
 external test suites are currently supported:
- - BoringSSL test suite
+ - GOST engine test suite
 - Python PYCA/Cryptography test suite
 - krb5 test suite
--- a/1
+++ b/1
@ -1 +0,0 @@
 Subproject commit 2070f8ad9151dc8f3a73bffaa146b5e6937a583f
--- a/test/README-external.md
+++ b/test/README-external.md
@ -5,69 +5,6 @@ It is possible to integrate external test suites into OpenSSL's `make test`.
 This capability is considered a developer option and does not work on all
 platforms.
 The BoringSSL test suite
 ========================
 In order to run the BoringSSL tests with OpenSSL, first checkout the BoringSSL
 source code into an appropriate directory. This can be done in two ways:
 1) Separately from the OpenSSL checkout using:
    $ git clone https://boringssl.googlesource.com/boringssl boringssl
  The BoringSSL tests are only confirmed to work at a specific commit in the
  BoringSSL repository. Later commits may or may not pass the test suite:
    $ cd boringssl
    $ git checkout 490469f850e
 2) Using the already configured submodule settings in OpenSSL:
    $ git submodule update --init
 Configure the OpenSSL source code to enable the external tests:
    $ cd ../openssl
    $ ./config enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers \
             enable-external-tests
 Note that using other config options than those given above may cause the tests
 to fail.
 Run the OpenSSL tests by providing the path to the BoringSSL test runner in the
 `BORING_RUNNER_DIR` environment variable:
    $ BORING_RUNNER_DIR=/path/to/boringssl/ssl/test/runner make test
 Note that the test suite may change directory while running so the path provided
 should be absolute and not relative to the current working directory.
 To see more detailed output you can run just the BoringSSL tests with the
 verbose option:
    $ VERBOSE=1 BORING_RUNNER_DIR=/path/to/boringssl/ssl/test/runner make \
        TESTS="test_external_boringssl" test
 Test failures and suppressions
 ------------------------------
 A large number of the BoringSSL tests are known to fail. A test could fail
 because of many possible reasons. For example:
 - A bug in OpenSSL
 - Different interpretations of standards
 - Assumptions about the way BoringSSL works that do not apply to OpenSSL
 - The test uses APIs added to BoringSSL that are not present in OpenSSL
 - etc
 In order to provide a "clean" baseline run with all the tests passing a config
 file has been provided that suppresses the running of tests that are known to
 fail. These suppressions are held in the file "test/ossl_shim/ossl_config.json"
 within the OpenSSL source code.
 The community is encouraged to contribute patches which reduce the number of
 suppressions that are currently present.
 Python PYCA/Cryptography test suite
 ===================================
--- a/test/build.info
+++ b/test/build.info
@ -1,5 +1,3 @@
 SUBDIRS=ossl_shim
 # TODO: use ../apps/libapps.a instead of direct ../apps/lib source.
 # This can't currently be done, because some of its units drag in too many
 # unresolved references that don't apply here.
--- a/test/data2.bin
+++ b/test/data2.bin
@ -1,188 +1,61 @@
 TEST DATA2
-Running external test suites with OpenSSL
+This is just some data that is meant to be different from the contents
-=========================================
+of the data.bin file.
-
+
-It is possible to integrate external test suites into OpenSSL's "make test".
+Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod
-This capability is considered a developer option and does not work on all
+tempor incididunt ut labore et dolore magna aliqua. Hendrerit dolor magna
-platforms.
+eget est. Integer enim neque volutpat ac tincidunt vitae. Erat imperdiet
-
+sed euismod nisi porta. Sit amet volutpat consequat mauris nunc.
-
+Fermentum leo vel orci porta non. Purus viverra accumsan in nisl.
-
+Volutpat maecenas volutpat blandit aliquam etiam erat velit scelerisque.
-The BoringSSL test suite
+Gravida in fermentum et sollicitudin ac orci phasellus. Ut eu sem integer
-========================
+vitae justo eget. Enim tortor at auctor urna nunc id. Laoreet non
-
+curabitur gravida arcu ac tortor dignissim convallis aenean. A lacus
-In order to run the BoringSSL tests with OpenSSL, first checkout the BoringSSL
+vestibulum sed arcu non odio euismod lacinia. In metus vulputate eu
-source code into an appropriate directory. This can be done in two ways:
+scelerisque felis imperdiet proin fermentum. Semper quis lectus nulla at
-
+volutpat diam ut venenatis tellus. Hac habitasse platea dictumst quisque.
-1) Separately from the OpenSSL checkout using:
+Augue ut lectus arcu bibendum at varius vel pharetra. Nisl nunc mi ipsum
-
+faucibus vitae aliquet. Nec sagittis aliquam malesuada bibendum arcu
-  $ git clone https://boringssl.googlesource.com/boringssl boringssl
+vitae. Tellus id interdum velit laoreet id donec ultrices.
-
+
-  The BoringSSL tests are only confirmed to work at a specific commit in the
+Eget gravida cum sociis natoque. Nunc vel risus commodo viverra maecenas
-  BoringSSL repository. Later commits may or may not pass the test suite:
+accumsan. Enim lobortis scelerisque fermentum dui faucibus. Quis eleifend
-
+quam adipiscing vitae. Nec nam aliquam sem et tortor. Pharetra massa
-  $ cd boringssl
+massa ultricies mi quis hendrerit. Tellus in metus vulputate eu
-  $ git checkout 490469f850e
+scelerisque. Et ultrices neque ornare aenean euismod elementum. Tellus
-
+mauris a diam maecenas sed enim ut sem viverra. Fermentum leo vel orci
-2) Using the already configured submodule settings in OpenSSL:
+porta non pulvinar neque. Risus nullam eget felis eget nunc. Sed tempus
-
+urna et pharetra pharetra massa massa ultricies. Dui sapien eget mi
-  $ git submodule update --init
+proin. Vitae elementum curabitur vitae nunc sed velit dignissim sodales.
-
+Sed arcu non odio euismod lacinia at. Enim praesent elementum facilisis
-Configure the OpenSSL source code to enable the external tests:
+leo vel fringilla. Vel facilisis volutpat est velit egestas dui id ornare
-
+arcu. Arcu dictum varius duis at. Pretium lectus quam id leo in vitae.
-$ cd ../openssl
+
-$ ./config enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers \
+Egestas fringilla phasellus faucibus scelerisque eleifend donec. Ut
-  enable-external-tests
+ornare lectus sit amet est placerat in egestas. Viverra ipsum nunc
-
+aliquet bibendum enim facilisis gravida neque. Commodo ullamcorper a
-Note that using other config options than those given above may cause the tests
+lacus vestibulum. Urna molestie at elementum eu. Mi in nulla posuere
-to fail.
+sollicitudin aliquam ultrices sagittis orci a. Orci sagittis eu volutpat
-
+odio facilisis mauris sit. Volutpat ac tincidunt vitae semper quis.
-Run the OpenSSL tests by providing the path to the BoringSSL test runner in the
+Adipiscing elit duis tristique sollicitudin nibh. Dignissim enim sit amet
-BORING_RUNNER_DIR environment variable:
+venenatis urna cursus. Lacus luctus accumsan tortor posuere ac ut. Eu
-
+feugiat pretium nibh ipsum consequat nisl. Arcu risus quis varius quam
-$ BORING_RUNNER_DIR=/path/to/boringssl/ssl/test/runner make test
+quisque id diam. Urna nec tincidunt praesent semper feugiat nibh sed. Sed
-
+libero enim sed faucibus turpis in eu mi.
-Note that the test suite may change directory while running so the path provided
+
-should be absolute and not relative to the current working directory.
+Suspendisse faucibus interdum posuere lorem ipsum dolor sit amet. Aliquet
-
+eget sit amet tellus cras adipiscing enim. Lectus proin nibh nisl
-To see more detailed output you can run just the BoringSSL tests with the
+condimentum id. Et odio pellentesque diam volutpat commodo sed egestas
-verbose option:
+egestas. Tempor id eu nisl nunc mi ipsum. Egestas erat imperdiet sed
-
+euismod nisi porta lorem mollis aliquam. Pretium quam vulputate dignissim
-$ VERBOSE=1 BORING_RUNNER_DIR=/path/to/boringssl/ssl/test/runner make \
+suspendisse in est. Volutpat commodo sed egestas egestas fringilla. In
-  TESTS="test_external_boringssl" test
+aliquam sem fringilla ut. Viverra accumsan in nisl nisi. Nam at lectus
-
+urna duis convallis convallis. Tortor posuere ac ut consequat semper.
-
+Pellentesque habitant morbi tristique senectus et netus et malesuada.
-Test failures and suppressions
+Aliquet enim tortor at auctor urna nunc id cursus metus. Sit amet luctus
------------------------------
+venenatis lectus magna. A diam maecenas sed enim ut sem viverra aliquet.
-
+Pellentesque sit amet porttitor eget dolor morbi. Eget lorem dolor sed
-A large number of the BoringSSL tests are known to fail. A test could fail
+viverra ipsum nunc aliquet bibendum enim. Iaculis urna id volutpat lacus
-because of many possible reasons. For example:
+laoreet non curabitur. Mattis vulputate enim nulla aliquet porttitor
-
+lacus luctus accumsan tortor.
 - A bug in OpenSSL
 - Different interpretations of standards
 - Assumptions about the way BoringSSL works that do not apply to OpenSSL
 - The test uses APIs added to BoringSSL that are not present in OpenSSL
 - etc
 In order to provide a "clean" baseline run with all the tests passing a config
 file has been provided that suppresses the running of tests that are known to
 fail. These suppressions are held in the file "test/ossl_shim/ossl_config.json"
 within the OpenSSL source code.
 The community is encouraged to contribute patches which reduce the number of
 suppressions that are currently present.
 Python PYCA/Cryptography test suite
 ===================================
 This python test suite runs cryptographic tests with a local OpenSSL build as
 the implementation.
 First checkout the PYCA/Cryptography module into ./pyca-cryptography using:
 $ git submodule update --init
 Then configure/build OpenSSL compatible with the python module:
 $ ./config shared enable-external-tests
 $ make
 The tests will run in a python virtual environment which requires virtualenv
 to be installed.
 $ make test VERBOSE=1 TESTS=test_external_pyca
 Test failures and suppressions
 ------------------------------
 Some tests target older (<=1.0.2) versions so will not run. Other tests target
 other crypto implementations so are not relevant. Currently no tests fail.
 krb5 test suite
 ===============
 Much like the PYCA/Cryptography test suite, this builds and runs the krb5
 tests against the local OpenSSL build.
 You will need a git checkout of krb5 at the top level:
 $ git clone https://github.com/krb5/krb5
 krb5's master has to pass this same CI, but a known-good version is
 krb5-1.15.1-final if you want to be sure.
 $ cd krb5
 $ git checkout krb5-1.15.1-final
 $ cd ..
 OpenSSL must be built with external tests enabled:
 $ ./config enable-external-tests
 $ make
 krb5's tests will then be run as part of the rest of the suite, or can be
 explicitly run (with more debugging):
 $ VERBOSE=1 make TESTS=test_external_krb5 test
 Test-failures suppressions
 --------------------------
 krb5 will automatically adapt its test suite to account for the configuration
 of your system.  Certain tests may require more installed packages to run.  No
 tests are expected to fail.
 GOST engine test suite
 ===============
 Much like the PYCA/Cryptography test suite, this builds and runs the GOST engine
 tests against the local OpenSSL build.
 You will need a git checkout of gost-engine at the top level:
 $ git submodule update --init
 Then configure/build OpenSSL enabling external tests:
 $ ./config shared enable-external-tests
 $ make
 GOST engine requires CMake for the build process.
 GOST engine tests will then be run as part of the rest of the suite, or can be
 explicitly run (with more debugging):
 $ make test VERBOSE=1 TESTS=test_external_gost_engine
 Updating test suites
 ====================
 To update the commit for any of the above test suites:
 - Make sure the submodules are cloned locally:
  $ git submodule update --init --recursive
 - Enter subdirectory and pull from the repository (use a specific branch/tag if required):
  $ cd <submodule-dir>
  $ git pull origin master
 - Go to root directory, there should be a new git status:
  $ cd ../
  $ git status
  ...
  #       modified:   <submodule-dir> (new commits)
  ...
 - Add/commit/push the update
  git add <submodule-dir>
  git commit -m "Updated <submodule> to latest commit"
  git push
--- a/test/ossl_shim/async_bio.cc
+++ b/test/ossl_shim/async_bio.cc
@ -1,183 +0,0 @@
 /*
 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */
 #include "async_bio.h"
 #include <errno.h>
 #include <string.h>
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
 namespace {
 struct AsyncBio {
  bool datagram;
  bool enforce_write_quota;
  size_t read_quota;
  size_t write_quota;
 };
 AsyncBio *GetData(BIO *bio) {
  return (AsyncBio *)BIO_get_data(bio);
 }
 static int AsyncWrite(BIO *bio, const char *in, int inl) {
  AsyncBio *a = GetData(bio);
  if (a == NULL || BIO_next(bio) == NULL) {
    return 0;
  }
  if (!a->enforce_write_quota) {
    return BIO_write(BIO_next(bio), in, inl);
  }
  BIO_clear_retry_flags(bio);
  if (a->write_quota == 0) {
    BIO_set_retry_write(bio);
    errno = EAGAIN;
    return -1;
  }
  if (!a->datagram && (size_t)inl > a->write_quota) {
    inl = a->write_quota;
  }
  int ret = BIO_write(BIO_next(bio), in, inl);
  if (ret <= 0) {
    BIO_copy_next_retry(bio);
  } else {
    a->write_quota -= (a->datagram ? 1 : ret);
  }
  return ret;
 }
 static int AsyncRead(BIO *bio, char *out, int outl) {
  AsyncBio *a = GetData(bio);
  if (a == NULL || BIO_next(bio) == NULL) {
    return 0;
  }
  BIO_clear_retry_flags(bio);
  if (a->read_quota == 0) {
    BIO_set_retry_read(bio);
    errno = EAGAIN;
    return -1;
  }
  if (!a->datagram && (size_t)outl > a->read_quota) {
    outl = a->read_quota;
  }
  int ret = BIO_read(BIO_next(bio), out, outl);
  if (ret <= 0) {
    BIO_copy_next_retry(bio);
  } else {
    a->read_quota -= (a->datagram ? 1 : ret);
  }
  return ret;
 }
 static long AsyncCtrl(BIO *bio, int cmd, long num, void *ptr) {
  if (BIO_next(bio) == NULL) {
    return 0;
  }
  BIO_clear_retry_flags(bio);
  int ret = BIO_ctrl(BIO_next(bio), cmd, num, ptr);
  BIO_copy_next_retry(bio);
  return ret;
 }
 static int AsyncNew(BIO *bio) {
  AsyncBio *a = (AsyncBio *)OPENSSL_malloc(sizeof(*a));
  if (a == NULL) {
    return 0;
  }
  memset(a, 0, sizeof(*a));
  a->enforce_write_quota = true;
  BIO_set_init(bio, 1);
  BIO_set_data(bio, a);
  return 1;
 }
 static int AsyncFree(BIO *bio) {
  if (bio == NULL) {
    return 0;
  }
  OPENSSL_free(BIO_get_data(bio));
  BIO_set_data(bio, NULL);
  BIO_set_init(bio, 0);
  return 1;
 }
 static long AsyncCallbackCtrl(BIO *bio, int cmd, BIO_info_cb fp)
 {
  if (BIO_next(bio) == NULL)
    return 0;
  return BIO_callback_ctrl(BIO_next(bio), cmd, fp);
 }
 static BIO_METHOD *g_async_bio_method = NULL;
 static const BIO_METHOD *AsyncMethod(void)
 {
  if (g_async_bio_method == NULL) {
    g_async_bio_method = BIO_meth_new(BIO_TYPE_FILTER, "async bio");
    if (   g_async_bio_method == NULL
        || !BIO_meth_set_write(g_async_bio_method, AsyncWrite)
        || !BIO_meth_set_read(g_async_bio_method, AsyncRead)
        || !BIO_meth_set_ctrl(g_async_bio_method, AsyncCtrl)
        || !BIO_meth_set_create(g_async_bio_method, AsyncNew)
        || !BIO_meth_set_destroy(g_async_bio_method, AsyncFree)
        || !BIO_meth_set_callback_ctrl(g_async_bio_method, AsyncCallbackCtrl))
    return NULL;
  }
  return g_async_bio_method;
 }
 }  // namespace
 bssl::UniquePtr<BIO> AsyncBioCreate() {
  return bssl::UniquePtr<BIO>(BIO_new(AsyncMethod()));
 }
 bssl::UniquePtr<BIO> AsyncBioCreateDatagram() {
  bssl::UniquePtr<BIO> ret(BIO_new(AsyncMethod()));
  if (!ret) {
    return nullptr;
  }
  GetData(ret.get())->datagram = true;
  return ret;
 }
 void AsyncBioAllowRead(BIO *bio, size_t count) {
  AsyncBio *a = GetData(bio);
  if (a == NULL) {
    return;
  }
  a->read_quota += count;
 }
 void AsyncBioAllowWrite(BIO *bio, size_t count) {
  AsyncBio *a = GetData(bio);
  if (a == NULL) {
    return;
  }
  a->write_quota += count;
 }
 void AsyncBioEnforceWriteQuota(BIO *bio, bool enforce) {
  AsyncBio *a = GetData(bio);
  if (a == NULL) {
    return;
  }
  a->enforce_write_quota = enforce;
 }
--- a/test/ossl_shim/async_bio.h
+++ b/test/ossl_shim/async_bio.h
@ -1,39 +0,0 @@
 /*
 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */
 #ifndef OSSL_TEST_SHIM_ASYNC_BIO_H
 #define OSSL_TEST_SHIM_ASYNC_BIO_H
 #include <openssl/base.h>
 #include <openssl/bio.h>
 // AsyncBioCreate creates a filter BIO for testing asynchronous state
 // machines which consume a stream socket. Reads and writes will fail
 // and return EAGAIN unless explicitly allowed. Each async BIO has a
 // read quota and a write quota. Initially both are zero. As each is
 // incremented, bytes are allowed to flow through the BIO.
 bssl::UniquePtr<BIO> AsyncBioCreate();
 // AsyncBioCreateDatagram creates a filter BIO for testing for
 // asynchronous state machines which consume datagram sockets. The read
 // and write quota count in packets rather than bytes.
 bssl::UniquePtr<BIO> AsyncBioCreateDatagram();
 // AsyncBioAllowRead increments |bio|'s read quota by |count|.
 void AsyncBioAllowRead(BIO *bio, size_t count);
 // AsyncBioAllowWrite increments |bio|'s write quota by |count|.
 void AsyncBioAllowWrite(BIO *bio, size_t count);
 // AsyncBioEnforceWriteQuota configures where |bio| enforces its write quota.
 void AsyncBioEnforceWriteQuota(BIO *bio, bool enforce);
 #endif  // OSSL_TEST_SHIM_ASYNC_BIO_H
--- a/test/ossl_shim/build.info
+++ b/test/ossl_shim/build.info
@ -1,6 +0,0 @@
 IF[{- defined $target{CXX} && !$disabled{"external-tests"} -}]
  PROGRAMS{noinst}=ossl_shim
  SOURCE[ossl_shim]=ossl_shim.cc async_bio.cc packeted_bio.cc test_config.cc
  INCLUDE[ossl_shim]=. include ../../include
  DEPEND[ossl_shim]=../../libssl ../../libcrypto
 ENDIF
--- a/test/ossl_shim/include/openssl/base.h
+++ b/test/ossl_shim/include/openssl/base.h
@ -1,114 +0,0 @@
 /*
 * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */
 #ifndef OSSL_TEST_SHIM_INCLUDE_OPENSSL_BASE_H
 #define OSSL_TEST_SHIM_INCLUDE_OPENSSL_BASE_H
 /* Needed for DH functions */
 #include "internal/deprecated.h"
 /* Needed for BORINGSSL_MAKE_DELETER */
 # include <openssl/bio.h>
 # include <openssl/evp.h>
 # include <openssl/dh.h>
 # include <openssl/x509.h>
 # include <openssl/ssl.h>
 # define OPENSSL_ARRAY_SIZE(array) (sizeof(array) / sizeof((array)[0]))
 extern "C++" {
 #include <memory>
 namespace bssl {
 namespace internal {
 template <typename T>
 struct DeleterImpl {};
 template <typename T>
 struct Deleter {
  void operator()(T *ptr) {
    // Rather than specialize Deleter for each type, we specialize
    // DeleterImpl. This allows bssl::UniquePtr<T> to be used while only
    // including base.h as long as the destructor is not emitted. This matches
    // std::unique_ptr's behavior on forward-declared types.
    //
    // DeleterImpl itself is specialized in the corresponding module's header
    // and must be included to release an object. If not included, the compiler
    // will error that DeleterImpl<T> does not have a method Free.
    DeleterImpl<T>::Free(ptr);
  }
 };
 template <typename T, typename CleanupRet, void (*init)(T *),
          CleanupRet (*cleanup)(T *)>
 class StackAllocated {
 public:
  StackAllocated() { init(&ctx_); }
  ~StackAllocated() { cleanup(&ctx_); }
  StackAllocated(const StackAllocated<T, CleanupRet, init, cleanup> &) = delete;
  T& operator=(const StackAllocated<T, CleanupRet, init, cleanup> &) = delete;
  T *get() { return &ctx_; }
  const T *get() const { return &ctx_; }
  void Reset() {
    cleanup(&ctx_);
    init(&ctx_);
  }
 private:
  T ctx_;
 };
 }  // namespace internal
 #define BORINGSSL_MAKE_DELETER(type, deleter)     \
  namespace internal {                            \
  template <>                                     \
  struct DeleterImpl<type> {                      \
    static void Free(type *ptr) { deleter(ptr); } \
  };                                              \
  }
 // This makes a unique_ptr to STACK_OF(type) that owns all elements on the
 // stack, i.e. it uses sk_pop_free() to clean up.
 #define BORINGSSL_MAKE_STACK_DELETER(type, deleter) \
  namespace internal {                              \
  template <>                                       \
  struct DeleterImpl<STACK_OF(type)> {              \
    static void Free(STACK_OF(type) *ptr) {         \
      sk_##type##_pop_free(ptr, deleter);           \
    }                                               \
  };                                                \
  }
 // Holds ownership of heap-allocated BoringSSL structures. Sample usage:
 //   bssl::UniquePtr<BIO> rsa(RSA_new());
 //   bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
 template <typename T>
 using UniquePtr = std::unique_ptr<T, internal::Deleter<T>>;
 BORINGSSL_MAKE_DELETER(BIO, BIO_free)
 BORINGSSL_MAKE_DELETER(EVP_PKEY, EVP_PKEY_free)
 BORINGSSL_MAKE_DELETER(DH, DH_free)
 BORINGSSL_MAKE_DELETER(X509, X509_free)
 BORINGSSL_MAKE_DELETER(SSL, SSL_free)
 BORINGSSL_MAKE_DELETER(SSL_CTX, SSL_CTX_free)
 BORINGSSL_MAKE_DELETER(SSL_SESSION, SSL_SESSION_free)
 }  // namespace bssl
 }  /* extern C++ */
 #endif  /* OSSL_TEST_SHIM_INCLUDE_OPENSSL_BASE_H */
--- a/test/ossl_shim/ossl_config.json
+++ b/test/ossl_shim/ossl_config.json
@ -1,301 +0,0 @@
 {
    "DisabledTests" : {
        "*TLS13*":"No TLS1.3 support yet",
        "FragmentAlert-DTLS":"Test failure - reason unknown",
        "FragmentedClientVersion":"Test failure - reason unknown",
        "MTU":"Test failure - reason unknown",
        "EmptyCertificateList":"Test failure - reason unknown",
        "AppDataBeforeHandshake-DTLS":"Test failure - reason unknown",
        "AlertAfterChangeCipherSpec":"Test failure - reason unknown",
        "AppDataAfterChangeCipherSpec":"Test failure - reason unknown",
        "AppDataAfterChangeCipherSpec-Empty":"Test failure - reason unknown",
        "AppDataAfterChangeCipherSpec-DTLS":"Test failure - reason unknown",
        "AppDataBeforeHandshake-DTLS-Empty":"Test failure - reason unknown",
        "AlertAfterChangeCipherSpec-DTLS":"Test failure - reason unknown",
        "FragmentMessageLengthMismatch-DTLS":"Test failure - reason unknown",
        "SplitFragments-Header-DTLS":"Test failure - reason unknown",
        "SplitFragments-Boundary-DTLS":"Test failure - reason unknown",
        "SplitFragments-Body-DTLS":"Test failure - reason unknown",
        "SendEmptyFragments-DTLS":"Test failure - reason unknown",
        "SendInvalidRecordType-DTLS":"Test failure - reason unknown",
        "SendInvalidRecordType":"Test failure - reason unknown",
        "FragmentMessageTypeMismatch-DTLS":"Test failure - reason unknown",
        "SendWarningAlerts-Pass":"Test failure - reason unknown",
        "SendWarningAlerts-DTLS-Pass":"Test failure - reason unknown",
        "TooManyKeyUpdates":"Test failure - reason unknown",
        "Unclean-Shutdown-Alert":"Test failure - reason unknown",
        "V2ClientHello-WarningAlertPrefix":"Test failure - reason unknown",
        "BadHelloRequest-2":"Test failure - reason unknown",
        "DTLS-SendExtraFinished":"Test failure - reason unknown",
        "NoNullCompression-TLS12":"Test failure - reason unknown",
        "KeyUpdate-Client":"Test failure - reason unknown",
        "KeyUpdate-InvalidRequestMode":"Test failure - reason unknown",
        "DTLS-SendExtraFinished-Reordered":"Test failure - reason unknown",
        "LargeMessage-Reject-DTLS":"Test failure - reason unknown",
        "KeyUpdate-Server":"Test failure - reason unknown",
        "SSL3-ECDHE-PSK-AES128-CBC-SHA-server":"Test failure - reason unknown",
        "SSL3-ECDHE-PSK-AES256-CBC-SHA-server":"Test failure - reason unknown",
        "DTLS1-NULL-SHA-server":"Test failure - reason unknown",
        "DTLS1-NULL-SHA-client":"Test failure - reason unknown",
        "DTLS12-NULL-SHA-client":"Test failure - reason unknown",
        "DTLS12-NULL-SHA-server":"Test failure - reason unknown",
        "BadECDSA-1-4":"Test failure - reason unknown",
        "BadECDSA-3-4":"Test failure - reason unknown",
        "BadECDSA-4-1":"Test failure - reason unknown",
        "BadECDSA-4-4":"Test failure - reason unknown",
        "BadECDSA-4-3":"Test failure - reason unknown",
        "SillyDH":"Test failure - reason unknown",
        "VersionNegotiationExtension-TLS1-DTLS":"Test failure - reason unknown",
        "NoSupportedVersions-DTLS":"Test failure - reason unknown",
        "VersionTooLow-DTLS":"Test failure - reason unknown",
        "IgnoreClientVersionOrder":"Test failure - reason unknown",
        "VersionTooLow":"Test failure - reason unknown",
        "MinimumVersion-Server-TLS1-SSL3":"Test failure - reason unknown",
        "MinimumVersion-Server2-TLS1-SSL3":"Test failure - reason unknown",
        "MinimumVersion-Client2-TLS1-SSL3":"Test failure - reason unknown",
        "MinimumVersion-Server2-TLS11-SSL3":"Test failure - reason unknown",
        "MinimumVersion-Server-TLS11-SSL3":"Test failure - reason unknown",
        "MinimumVersion-Client2-TLS11-SSL3":"Test failure - reason unknown",
        "MinimumVersion-Client2-TLS11-TLS1":"Test failure - reason unknown",
        "MinimumVersion-Server2-TLS12-SSL3":"Test failure - reason unknown",
        "MinimumVersion-Server-TLS12-SSL3":"Test failure - reason unknown",
        "MinimumVersion-Client2-TLS12-TLS1":"Test failure - reason unknown",
        "MinimumVersion-Client2-TLS12-SSL3":"Test failure - reason unknown",
        "MinimumVersion-Client2-TLS12-TLS1-DTLS":"Test failure - reason unknown",
        "MinimumVersion-Client2-TLS12-TLS11":"Test failure - reason unknown",
        "DuplicateExtensionClient-TLS1":"Test failure - reason unknown",
        "DuplicateExtensionServer-TLS1":"Test failure - reason unknown",
        "ALPNClient-Mismatch-TLS1":"Test failure - reason unknown",
        "UnsolicitedServerNameAck-TLS1":"Test failure - reason unknown",
        "ALPNServer-Decline-TLS1":"Test failure - reason unknown",
        "ALPNClient-EmptyProtocolName-TLS1":"Test failure - reason unknown",
        "NegotiateALPNAndNPN-Swapped-TLS1":"Test failure - reason unknown",
        "NegotiateALPNAndNPN-TLS1":"Test failure - reason unknown",
        "TicketSessionIDLength-33-TLS1":"Test failure - reason unknown",
        "DuplicateExtensionClient-TLS11":"Test failure - reason unknown",
        "DuplicateExtensionServer-TLS11":"Test failure - reason unknown",
        "UnsolicitedServerNameAck-TLS11":"Test failure - reason unknown",
        "ALPNServer-Decline-TLS11":"Test failure - reason unknown",
        "ALPNClient-Mismatch-TLS11":"Test failure - reason unknown",
        "ALPNClient-EmptyProtocolName-TLS11":"Test failure - reason unknown",
        "NegotiateALPNAndNPN-TLS11":"Test failure - reason unknown",
        "NegotiateALPNAndNPN-Swapped-TLS11":"Test failure - reason unknown",
        "TicketSessionIDLength-33-TLS11":"Test failure - reason unknown",
        "DuplicateExtensionServer-TLS12":"Test failure - reason unknown",
        "DuplicateExtensionClient-TLS12":"Test failure - reason unknown",
        "UnsolicitedServerNameAck-TLS12":"Test failure - reason unknown",
        "ALPNServer-Decline-TLS12":"Test failure - reason unknown",
        "ALPNClient-Mismatch-TLS12":"Test failure - reason unknown",
        "ALPNClient-EmptyProtocolName-TLS12":"Test failure - reason unknown",
        "NegotiateALPNAndNPN-TLS12":"Test failure - reason unknown",
        "NegotiateALPNAndNPN-Swapped-TLS12":"Test failure - reason unknown",
        "TicketSessionIDLength-33-TLS12":"Test failure - reason unknown",
        "ClientHelloPadding":"Test failure - reason unknown",
        "Resume-Server-UnofferedCipher":"Test failure - reason unknown",
        "Resume-Client-CipherMismatch":"Test failure - reason unknown",
        "Resume-Server-ExtraIdentityNoBinder":"Test failure - reason unknown",
        "Resume-Server-BinderWrongLength":"Test failure - reason unknown",
        "Resume-Server-ExtraPSKBinder":"Test failure - reason unknown",
        "Resume-Server-NoPSKBinder":"Test failure - reason unknown",
        "Resume-Server-PSKBinderFirstExtension":"Test failure - reason unknown",
        "Resume-Server-InvalidPSKBinder":"Test failure - reason unknown",
        "ExtendedMasterSecret-NoToYes-Client":"Test failure - reason unknown",
        "Renegotiate-Server-Forbidden":"Test failure - reason unknown",
        "ExtendedMasterSecret-Renego-NoEMS":"Test failure - reason unknown",
        "Renegotiate-Client-SwitchVersion":"Test failure - reason unknown",
        "Renegotiate-Client-Upgrade":"Test failure - reason unknown",
        "Renegotiate-SameClientVersion":"Test failure - reason unknown",
        "Renegotiate-Client-Downgrade":"Test failure - reason unknown",
        "Renegotiate-Client-SwitchCiphers2":"Test failure - reason unknown",
        "Renegotiate-Client-SwitchCiphers":"Test failure - reason unknown",
        "Renegotiate-Client-Forbidden-1":"Test failure - reason unknown",
        "StrayHelloRequest":"Test failure - reason unknown",
        "Renegotiate-Client-Freely-2":"Test failure - reason unknown",
        "Renegotiate-Client-NoIgnore":"Test failure - reason unknown",
        "StrayHelloRequest-Packed":"Test failure - reason unknown",
        "Renegotiate-Client-Freely-1":"Test failure - reason unknown",
        "Renegotiation-CertificateChange":"Test failure - reason unknown",
        "Renegotiation-CertificateChange-2":"Test failure - reason unknown",
        "Renegotiate-Client-SSL3":"Test failure - reason unknown",
        "ClientAuth-SHA1-Fallback-ECDSA":"Test failure - reason unknown",
        "ClientAuth-SHA1-Fallback-RSA":"Test failure - reason unknown",
        "P224-Server":"Test failure - reason unknown",
        "RSA-PSS-Large":"Test failure - reason unknown",
        "DTLS-Retransmit-Client-1":"Test failure - reason unknown",
        "DTLS-Retransmit-Client-2":"Test failure - reason unknown",
        "DTLS-Retransmit-Server-1":"Test failure - reason unknown",
        "DTLS-Retransmit-Server-2":"Test failure - reason unknown",
        "DTLS-Retransmit-Client-3":"Test failure - reason unknown",
        "DTLS-Retransmit-Server-3":"Test failure - reason unknown",
        "DTLS-Retransmit-Client-4":"Test failure - reason unknown",
        "Renegotiate-Client-Packed":"Test failure - reason unknown",
        "DTLS-Retransmit-Server-4":"Test failure - reason unknown",
        "DTLS-Retransmit-Client-5":"Test failure - reason unknown",
        "DTLS-Retransmit-Server-6":"Test failure - reason unknown",
        "DTLS-Retransmit-Client-6":"Test failure - reason unknown",
        "DTLS-Retransmit-Server-5":"Test failure - reason unknown",
        "DTLS-Retransmit-Client-7":"Test failure - reason unknown",
        "DTLS-Retransmit-Server-7":"Test failure - reason unknown",
        "DTLS-Retransmit-Client-8":"Test failure - reason unknown",
        "DTLS-Retransmit-Client-9":"Test failure - reason unknown",
        "DTLS-Retransmit-Server-8":"Test failure - reason unknown",
        "DTLS-Retransmit-Server-9":"Test failure - reason unknown",
        "DTLS-Retransmit-Client-10":"Test failure - reason unknown",
        "DTLS-Retransmit-Client-11":"Test failure - reason unknown",
        "DTLS-Retransmit-Server-10":"Test failure - reason unknown",
        "DTLS-Retransmit-Server-11":"Test failure - reason unknown",
        "CustomExtensions-ParseError-Server":"Test failure - reason unknown",
        "CustomExtensions-FailAdd-Server":"Test failure - reason unknown",
        "CustomExtensions-FailAdd-Client":"Test failure - reason unknown",
        "CustomExtensions-ParseError-Client":"Test failure - reason unknown",
        "UnknownExtension-Client":"Test failure - reason unknown",
        "UnofferedExtension-Client":"Test failure - reason unknown",
        "PointFormat-Client-MissingUncompressed":"Test failure - reason unknown",
        "PointFormat-Server-MissingUncompressed":"Test failure - reason unknown",
        "Basic-Client-RenewTicket-Sync":"Test failure - reason unknown",
        "Renegotiate-Client-Sync":"Test failure - reason unknown",
        "Shutdown-Shim-Sync":"Test failure - reason unknown",
        "Basic-Client-RenewTicket-Sync-SplitHandshakeRecords":"Test failure - reason unknown",
        "Renegotiate-Client-Sync-SplitHandshakeRecords":"Test failure - reason unknown",
        "Shutdown-Shim-Sync-SplitHandshakeRecords":"Test failure - reason unknown",
        "Basic-Client-RenewTicket-Sync-PackHandshakeFlight":"Test failure - reason unknown",
        "Renegotiate-Client-Sync-PackHandshakeFlight":"Test failure - reason unknown",
        "Shutdown-Shim-Sync-PackHandshakeFlight":"Test failure - reason unknown",
        "Basic-Client-RenewTicket-DTLS-Sync":"Test failure - reason unknown",
        "Basic-Client-RenewTicket-DTLS-Sync-SplitHandshakeRecords":"Test failure - reason unknown",
        "Basic-Server-Implicit-DTLS-Sync-SplitHandshakeRecords":"Test failure - reason unknown",
        "ClientAuth-NoCertificate-Server-DTLS-Sync-SplitHandshakeRecords":"Test failure - reason unknown",
        "ClientAuth-ECDSA-Client-DTLS-Sync-SplitHandshakeRecords":"Test failure - reason unknown",
        "Basic-Server-RSA-DTLS-Sync-SplitHandshakeRecords":"Test failure - reason unknown",
        "Basic-Server-ECDHE-RSA-DTLS-Sync-SplitHandshakeRecords":"Test failure - reason unknown",
        "Basic-Server-ECDHE-ECDSA-DTLS-Sync-SplitHandshakeRecords":"Test failure - reason unknown",
        "Basic-Client-RenewTicket-Async":"Test failure - reason unknown",
        "Shutdown-Shim-Async":"Test failure - reason unknown",
        "Basic-Client-RenewTicket-Async-SplitHandshakeRecords":"Test failure - reason unknown",
        "Shutdown-Shim-Async-SplitHandshakeRecords":"Test failure - reason unknown",
        "Basic-Client-RenewTicket-Async-PackHandshakeFlight":"Test failure - reason unknown",
        "Shutdown-Shim-Async-PackHandshakeFlight":"Test failure - reason unknown",
        "Basic-Client-RenewTicket-DTLS-Async":"Test failure - reason unknown",
        "Basic-Client-RenewTicket-DTLS-Async-SplitHandshakeRecords":"Test failure - reason unknown",
        "Basic-Server-Implicit-DTLS-Async-SplitHandshakeRecords":"Test failure - reason unknown",
        "ClientAuth-NoCertificate-Server-DTLS-Async-SplitHandshakeRecords":"Test failure - reason unknown",
        "ClientAuth-ECDSA-Client-DTLS-Async-SplitHandshakeRecords":"Test failure - reason unknown",
        "Basic-Server-RSA-DTLS-Async-SplitHandshakeRecords":"Test failure - reason unknown",
        "Basic-Server-ECDHE-RSA-DTLS-Async-SplitHandshakeRecords":"Test failure - reason unknown",
        "Basic-Server-ECDHE-ECDSA-DTLS-Async-SplitHandshakeRecords":"Test failure - reason unknown",
        "SendUnencryptedFinished-DTLS":"Test failure - reason unknown",
        "PartialEncryptedExtensionsWithServerHello":"Test failure - reason unknown",
        "StrayChangeCipherSpec":"Test failure - reason unknown",
        "PartialClientFinishedWithClientHello":"Test failure - reason unknown",
        "TrailingMessageData-ClientHello":"Test failure - reason unknown",
        "TrailingMessageData-ServerHello":"Test failure - reason unknown",
        "TrailingMessageData-ServerCertificate":"Test failure - reason unknown",
        "TrailingMessageData-ServerKeyExchange":"Test failure - reason unknown",
        "TrailingMessageData-CertificateRequest":"Test failure - reason unknown",
        "TrailingMessageData-ServerHelloDone":"Test failure - reason unknown",
        "TrailingMessageData-ClientKeyExchange":"Test failure - reason unknown",
        "TrailingMessageData-ClientCertificate":"Test failure - reason unknown",
        "TrailingMessageData-CertificateVerify":"Test failure - reason unknown",
        "TrailingMessageData-NextProtocol":"Test failure - reason unknown",
        "TrailingMessageData-NewSessionTicket":"Test failure - reason unknown",
        "TrailingMessageData-ClientFinished":"Test failure - reason unknown",
        "TrailingMessageData-ServerFinished":"Test failure - reason unknown",
        "TrailingMessageData-HelloVerifyRequest-DTLS":"Test failure - reason unknown",
        "TrailingMessageData-ServerHello-DTLS":"Test failure - reason unknown",
        "TrailingMessageData-ServerCertificate-DTLS":"Test failure - reason unknown",
        "TrailingMessageData-ServerKeyExchange-DTLS":"Test failure - reason unknown",
        "TrailingMessageData-CertificateRequest-DTLS":"Test failure - reason unknown",
        "TrailingMessageData-ServerHelloDone-DTLS":"Test failure - reason unknown",
        "TrailingMessageData-ClientCertificate-DTLS":"Test failure - reason unknown",
        "TrailingMessageData-CertificateVerify-DTLS":"Test failure - reason unknown",
        "TrailingMessageData-ClientKeyExchange-DTLS":"Test failure - reason unknown",
        "TrailingMessageData-ClientFinished-DTLS":"Test failure - reason unknown",
        "TrailingMessageData-NewSessionTicket-DTLS":"Test failure - reason unknown",
        "TrailingMessageData-ServerFinished-DTLS":"Test failure - reason unknown",
        "MissingKeyShare-Client":"Test failure - reason unknown",
        "MissingKeyShare-Server":"Test failure - reason unknown",
        "DuplicateKeyShares":"Test failure - reason unknown",
        "SkipEarlyData":"Test failure - reason unknown",
        "SkipEarlyData-OmitEarlyDataExtension":"Test failure - reason unknown",
        "SkipEarlyData-TooMuchData":"Test failure - reason unknown",
        "SkipEarlyData-Interleaved":"Test failure - reason unknown",
        "SkipEarlyData-HRR":"Test failure - reason unknown",
        "SkipEarlyData-HRR-Interleaved":"Test failure - reason unknown",
        "SkipEarlyData-HRR-TooMuchData":"Test failure - reason unknown",
        "SkipEarlyData-HRR-FatalAlert":"Test failure - reason unknown",
        "SkipEarlyData-EarlyDataInTLS12":"Test failure - reason unknown",
        "SkipEarlyData-SecondClientHelloEarlyData":"Test failure - reason unknown",
        "EmptyEncryptedExtensions":"Test failure - reason unknown",
        "EncryptedExtensionsWithKeyShare":"Test failure - reason unknown",
        "UnknownCurve-HelloRetryRequest":"Test failure - reason unknown",
        "UnnecessaryHelloRetryRequest":"Test failure - reason unknown",
        "HelloRetryRequest-Empty":"Test failure - reason unknown",
        "SecondHelloRetryRequest":"Test failure - reason unknown",
        "HelloRetryRequest-DuplicateCurve":"Test failure - reason unknown",
        "HelloRetryRequest-DuplicateCookie":"Test failure - reason unknown",
        "HelloRetryRequest-EmptyCookie":"Test failure - reason unknown",
        "HelloRetryRequest-Unknown":"Test failure - reason unknown",
        "SecondClientHelloMissingKeyShare":"Test failure - reason unknown",
        "SecondClientHelloWrongCurve":"Test failure - reason unknown",
        "HelloRetryRequestVersionMismatch":"Test failure - reason unknown",
        "HelloRetryRequestCurveMismatch":"Test failure - reason unknown",
        "SkipHelloRetryRequest":"Test failure - reason unknown",
        "Peek-Renegotiate":"Test failure - reason unknown",
        "Peek-KeyUpdate":"Test failure - reason unknown",
        "DTLS-Retransmit-Client-12":"Test failure - reason unknown",
        "DTLS-Retransmit-Timeout":"Test failure - reason unknown",
        "DTLS-Retransmit-Server-12":"Test failure - reason unknown",
        "DTLS-Retransmit-Fudge":"Test failure - reason unknown",
        "DTLS-Retransmit-Fragmented":"Test failure - reason unknown",
        "TrailingMessageData-ClientHello-DTLS":"Test failure - reason unknown",
        "SendFallbackSCSV":"Current runner version uses old draft TLSv1.3",
        "VersionNegotiationExtension-TLS11":"Current runner version uses old draft TLSv1.3",
        "VersionNegotiationExtension-TLS1":"Current runner version uses old draft TLSv1.3",
        "VersionNegotiationExtension-SSL3":"Current runner version uses old draft TLSv1.3",
        "ConflictingVersionNegotiation":"Current runner version uses old draft TLSv1.3"
    },
    "ErrorMap" : {
        ":UNEXPECTED_MESSAGE:":"unexpected message",
        ":INAPPROPRIATE_FALLBACK:":"inappropriate fallback",
        ":UNEXPECTED_RECORD:":"unexpected message",
        ":TLSV1_ALERT_RECORD_OVERFLOW:":"tlsv1 alert record overflow",
        ":WRONG_SSL_VERSION:":"no protocols available",
        ":BAD_ALERT:":"invalid alert",
        ":HTTP_REQUEST:":"http request",
        ":HTTPS_PROXY_REQUEST:":"https proxy request",
        ":WRONG_CERTIFICATE_TYPE:":"wrong certificate type",
        ":WRONG_VERSION_NUMBER:":"wrong version number",
        ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:":"decryption failed or bad record mac",
        ":DIGEST_CHECK_FAILED:":"digest check failed",
        ":TOO_MANY_EMPTY_FRAGMENTS:":"record too small",
        ":TOO_MANY_WARNING_ALERTS:":"too many warn alerts",
        ":DATA_LENGTH_TOO_LONG:":"data length too long",
        ":EXCESSIVE_MESSAGE_SIZE:":"excessive message size",
        ":ENCRYPTED_LENGTH_TOO_LONG:":"packet length too long",
        ":INVALID_COMPRESSION_LIST:":"no compression specified",
        ":NO_SHARED_CIPHER:":"no shared cipher",
        ":WRONG_CIPHER_RETURNED:":"wrong cipher returned",
        ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:":"sslv3 alert handshake failure",
        ":UNKNOWN_CIPHER_RETURNED:":"unknown cipher returned",
        ":BAD_SIGNATURE:":"bad signature",
        ":BAD_DH_P_LENGTH:":"dh key too small",
        ":PEER_DID_NOT_RETURN_A_CERTIFICATE:":"peer did not return a certificate",
        ":UNSUPPORTED_PROTOCOL:":"unsupported protocol",
        ":PARSE_TLSEXT:":"bad extension",
        ":BAD_SRTP_PROTECTION_PROFILE_LIST:":"bad srtp protection profile list",
        ":OLD_SESSION_VERSION_NOT_RETURNED:":"ssl session version mismatch",
        ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:":"inconsistent extms",
        ":RENEGOTIATION_EMS_MISMATCH:":"inconsistent extms",
        ":RENEGOTIATION_MISMATCH:":"renegotiation mismatch",
        ":WRONG_SIGNATURE_TYPE:":"wrong signature type",
        ":BAD_ECC_CERT:":"wrong curve",
        ":WRONG_CURVE:":"wrong curve",
        ":INVALID_ENCODING:":"invalid encoding",
        ":CERTIFICATE_VERIFY_FAILED:":"certificate verify failed",
        ":BAD_CHANGE_CIPHER_SPEC:":"bad change cipher spec",
        ":ECC_CERT_NOT_FOR_SIGNING:":"ecc cert not for signing",
        ":OLD_SESSION_CIPHER_NOT_RETURNED:":"old session cipher not returned",
        ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:":"inconsistent extms"
    }
 }
--- a/test/ossl_shim/ossl_shim.cc
+++ b/test/ossl_shim/ossl_shim.cc
--- a/test/ossl_shim/packeted_bio.cc
+++ b/test/ossl_shim/packeted_bio.cc
@ -1,299 +0,0 @@
 /*
 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */
 #include "packeted_bio.h"
 #include <assert.h>
 #include <limits.h>
 #include <stdio.h>
 #include <string.h>
 #include <openssl/crypto.h>
 namespace {
 const uint8_t kOpcodePacket = 'P';
 const uint8_t kOpcodeTimeout = 'T';
 const uint8_t kOpcodeTimeoutAck = 't';
 struct PacketedBio {
  explicit PacketedBio(bool advance_clock_arg)
      : advance_clock(advance_clock_arg) {
    memset(&timeout, 0, sizeof(timeout));
    memset(&clock, 0, sizeof(clock));
    memset(&read_deadline, 0, sizeof(read_deadline));
  }
  bool HasTimeout() const {
    return timeout.tv_sec != 0 || timeout.tv_usec != 0;
  }
  bool CanRead() const {
    if (read_deadline.tv_sec == 0 && read_deadline.tv_usec == 0) {
      return true;
    }
    if (clock.tv_sec == read_deadline.tv_sec) {
      return clock.tv_usec < read_deadline.tv_usec;
    }
    return clock.tv_sec < read_deadline.tv_sec;
  }
  timeval timeout;
  timeval clock;
  timeval read_deadline;
  bool advance_clock;
 };
 PacketedBio *GetData(BIO *bio) {
  return (PacketedBio *)BIO_get_data(bio);
 }
 const PacketedBio *GetData(const BIO *bio) {
  return GetData(const_cast<BIO*>(bio));
 }
 // ReadAll reads |len| bytes from |bio| into |out|. It returns 1 on success and
 // 0 or -1 on error.
 static int ReadAll(BIO *bio, uint8_t *out, size_t len) {
  while (len > 0) {
    int chunk_len = INT_MAX;
    if (len <= INT_MAX) {
      chunk_len = (int)len;
    }
    int ret = BIO_read(bio, out, chunk_len);
    if (ret <= 0) {
      return ret;
    }
    out += ret;
    len -= ret;
  }
  return 1;
 }
 static int PacketedWrite(BIO *bio, const char *in, int inl) {
  if (BIO_next(bio) == NULL) {
    return 0;
  }
  BIO_clear_retry_flags(bio);
  // Write the header.
  uint8_t header[5];
  header[0] = kOpcodePacket;
  header[1] = (inl >> 24) & 0xff;
  header[2] = (inl >> 16) & 0xff;
  header[3] = (inl >> 8) & 0xff;
  header[4] = inl & 0xff;
  int ret = BIO_write(BIO_next(bio), header, sizeof(header));
  if (ret <= 0) {
    BIO_copy_next_retry(bio);
    return ret;
  }
  // Write the buffer.
  ret = BIO_write(BIO_next(bio), in, inl);
  if (ret < 0 || (inl > 0 && ret == 0)) {
    BIO_copy_next_retry(bio);
    return ret;
  }
  assert(ret == inl);
  return ret;
 }
 static int PacketedRead(BIO *bio, char *out, int outl) {
  PacketedBio *data = GetData(bio);
  if (BIO_next(bio) == NULL) {
    return 0;
  }
  BIO_clear_retry_flags(bio);
  for (;;) {
    // Check if the read deadline has passed.
    if (!data->CanRead()) {
      BIO_set_retry_read(bio);
      return -1;
    }
    // Read the opcode.
    uint8_t opcode;
    int ret = ReadAll(BIO_next(bio), &opcode, sizeof(opcode));
    if (ret <= 0) {
      BIO_copy_next_retry(bio);
      return ret;
    }
    if (opcode == kOpcodeTimeout) {
      // The caller is required to advance any pending timeouts before
      // continuing.
      if (data->HasTimeout()) {
        fprintf(stderr, "Unprocessed timeout!\n");
        return -1;
      }
      // Process the timeout.
      uint8_t buf[8];
      ret = ReadAll(BIO_next(bio), buf, sizeof(buf));
      if (ret <= 0) {
        BIO_copy_next_retry(bio);
        return ret;
      }
      uint64_t timeout = (static_cast<uint64_t>(buf[0]) << 56) |
          (static_cast<uint64_t>(buf[1]) << 48) |
          (static_cast<uint64_t>(buf[2]) << 40) |
          (static_cast<uint64_t>(buf[3]) << 32) |
          (static_cast<uint64_t>(buf[4]) << 24) |
          (static_cast<uint64_t>(buf[5]) << 16) |
          (static_cast<uint64_t>(buf[6]) << 8) |
          static_cast<uint64_t>(buf[7]);
      timeout /= 1000;  // Convert nanoseconds to microseconds.
      data->timeout.tv_usec = timeout % 1000000;
      data->timeout.tv_sec = timeout / 1000000;
      // Send an ACK to the peer.
      ret = BIO_write(BIO_next(bio), &kOpcodeTimeoutAck, 1);
      if (ret <= 0) {
        return ret;
      }
      assert(ret == 1);
      if (!data->advance_clock) {
        // Signal to the caller to retry the read, after advancing the clock.
        BIO_set_retry_read(bio);
        return -1;
      }
      PacketedBioAdvanceClock(bio);
      continue;
    }
    if (opcode != kOpcodePacket) {
      fprintf(stderr, "Unknown opcode, %u\n", opcode);
      return -1;
    }
    // Read the length prefix.
    uint8_t len_bytes[4];
    ret = ReadAll(BIO_next(bio), len_bytes, sizeof(len_bytes));
    if (ret <= 0) {
      BIO_copy_next_retry(bio);
      return ret;
    }
    uint32_t len = (len_bytes[0] << 24) | (len_bytes[1] << 16) |
        (len_bytes[2] << 8) | len_bytes[3];
    uint8_t *buf = (uint8_t *)OPENSSL_malloc(len);
    if (buf == NULL) {
      return -1;
    }
    ret = ReadAll(BIO_next(bio), buf, len);
    if (ret <= 0) {
      fprintf(stderr, "Packeted BIO was truncated\n");
      return -1;
    }
    if (outl > (int)len) {
      outl = len;
    }
    memcpy(out, buf, outl);
    OPENSSL_free(buf);
    return outl;
  }
 }
 static long PacketedCtrl(BIO *bio, int cmd, long num, void *ptr) {
  if (cmd == BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT) {
    memcpy(&GetData(bio)->read_deadline, ptr, sizeof(timeval));
    return 1;
  }
  if (BIO_next(bio) == NULL) {
    return 0;
  }
  BIO_clear_retry_flags(bio);
  int ret = BIO_ctrl(BIO_next(bio), cmd, num, ptr);
  BIO_copy_next_retry(bio);
  return ret;
 }
 static int PacketedNew(BIO *bio) {
  BIO_set_init(bio, 1);
  return 1;
 }
 static int PacketedFree(BIO *bio) {
  if (bio == NULL) {
    return 0;
  }
  delete GetData(bio);
  BIO_set_init(bio, 0);
  return 1;
 }
 static long PacketedCallbackCtrl(BIO *bio, int cmd, BIO_info_cb fp)
 {
  if (BIO_next(bio) == NULL)
    return 0;
  return BIO_callback_ctrl(BIO_next(bio), cmd, fp);
 }
 static BIO_METHOD *g_packeted_bio_method = NULL;
 static const BIO_METHOD *PacketedMethod(void)
 {
  if (g_packeted_bio_method == NULL) {
    g_packeted_bio_method = BIO_meth_new(BIO_TYPE_FILTER, "packeted bio");
    if (   g_packeted_bio_method == NULL
        || !BIO_meth_set_write(g_packeted_bio_method, PacketedWrite)
        || !BIO_meth_set_read(g_packeted_bio_method, PacketedRead)
        || !BIO_meth_set_ctrl(g_packeted_bio_method, PacketedCtrl)
        || !BIO_meth_set_create(g_packeted_bio_method, PacketedNew)
        || !BIO_meth_set_destroy(g_packeted_bio_method, PacketedFree)
        || !BIO_meth_set_callback_ctrl(g_packeted_bio_method,
                                       PacketedCallbackCtrl))
    return NULL;
  }
  return g_packeted_bio_method;
 }
 }  // namespace
 bssl::UniquePtr<BIO> PacketedBioCreate(bool advance_clock) {
  bssl::UniquePtr<BIO> bio(BIO_new(PacketedMethod()));
  if (!bio) {
    return nullptr;
  }
  BIO_set_data(bio.get(), new PacketedBio(advance_clock));
  return bio;
 }
 timeval PacketedBioGetClock(const BIO *bio) {
  return GetData(bio)->clock;
 }
 bool PacketedBioAdvanceClock(BIO *bio) {
  PacketedBio *data = GetData(bio);
  if (data == nullptr) {
    return false;
  }
  if (!data->HasTimeout()) {
    return false;
  }
  data->clock.tv_usec += data->timeout.tv_usec;
  data->clock.tv_sec += data->clock.tv_usec / 1000000;
  data->clock.tv_usec %= 1000000;
  data->clock.tv_sec += data->timeout.tv_sec;
  memset(&data->timeout, 0, sizeof(data->timeout));
  return true;
 }
--- a/test/ossl_shim/packeted_bio.h
+++ b/test/ossl_shim/packeted_bio.h
@ -1,35 +0,0 @@
 /*
 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */
 #ifndef OSSL_TEST_SHIM_PACKETED_BIO_H
 #define OSSL_TEST_SHIM_PACKETED_BIO_H
 #include <openssl/base.h>
 #include <openssl/bio.h>
 // PacketedBioCreate creates a filter BIO which implements a reliable in-order
 // blocking datagram socket. It internally maintains a clock and honors
 // |BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT| based on it.
 //
 // During a |BIO_read|, the peer may signal the filter BIO to simulate a
 // timeout. If |advance_clock| is true, it automatically advances the clock and
 // continues reading, subject to the read deadline. Otherwise, it fails
 // immediately. The caller must then call |PacketedBioAdvanceClock| before
 // retrying |BIO_read|.
 bssl::UniquePtr<BIO> PacketedBioCreate(bool advance_clock);
 // PacketedBioGetClock returns the current time for |bio|.
 timeval PacketedBioGetClock(const BIO *bio);
 // PacketedBioAdvanceClock advances |bio|'s internal clock and returns true if
 // there is a pending timeout. Otherwise, it returns false.
 bool PacketedBioAdvanceClock(BIO *bio);
 #endif  // OSSL_TEST_SHIM_PACKETED_BIO_H
--- a/test/ossl_shim/test_config.cc
+++ b/test/ossl_shim/test_config.cc
@ -1,195 +0,0 @@
 /*
 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */
 #include "test_config.h"
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <memory>
 #include <openssl/evp.h>
 namespace {
 template <typename T>
 struct Flag {
  const char *flag;
  T TestConfig::*member;
 };
 // FindField looks for the flag in |flags| that matches |flag|. If one is found,
 // it returns a pointer to the corresponding field in |config|. Otherwise, it
 // returns NULL.
 template<typename T, size_t N>
 T *FindField(TestConfig *config, const Flag<T> (&flags)[N], const char *flag) {
  for (size_t i = 0; i < N; i++) {
    if (strcmp(flag, flags[i].flag) == 0) {
      return &(config->*(flags[i].member));
    }
  }
  return NULL;
 }
 const Flag<bool> kBoolFlags[] = {
  { "-server", &TestConfig::is_server },
  { "-dtls", &TestConfig::is_dtls },
  { "-fallback-scsv", &TestConfig::fallback_scsv },
  { "-require-any-client-certificate",
    &TestConfig::require_any_client_certificate },
  { "-async", &TestConfig::async },
  { "-write-different-record-sizes",
    &TestConfig::write_different_record_sizes },
  { "-partial-write", &TestConfig::partial_write },
  { "-no-tls13", &TestConfig::no_tls13 },
  { "-no-tls12", &TestConfig::no_tls12 },
  { "-no-tls11", &TestConfig::no_tls11 },
  { "-no-tls1", &TestConfig::no_tls1 },
  { "-no-ssl3", &TestConfig::no_ssl3 },
  { "-shim-writes-first", &TestConfig::shim_writes_first },
  { "-expect-session-miss", &TestConfig::expect_session_miss },
  { "-decline-alpn", &TestConfig::decline_alpn },
  { "-expect-extended-master-secret",
    &TestConfig::expect_extended_master_secret },
  { "-implicit-handshake", &TestConfig::implicit_handshake },
  { "-handshake-never-done", &TestConfig::handshake_never_done },
  { "-use-export-context", &TestConfig::use_export_context },
  { "-expect-ticket-renewal", &TestConfig::expect_ticket_renewal },
  { "-expect-no-session", &TestConfig::expect_no_session },
  { "-use-ticket-callback", &TestConfig::use_ticket_callback },
  { "-renew-ticket", &TestConfig::renew_ticket },
  { "-enable-client-custom-extension",
    &TestConfig::enable_client_custom_extension },
  { "-enable-server-custom-extension",
    &TestConfig::enable_server_custom_extension },
  { "-custom-extension-skip", &TestConfig::custom_extension_skip },
  { "-custom-extension-fail-add", &TestConfig::custom_extension_fail_add },
  { "-check-close-notify", &TestConfig::check_close_notify },
  { "-shim-shuts-down", &TestConfig::shim_shuts_down },
  { "-verify-fail", &TestConfig::verify_fail },
  { "-verify-peer", &TestConfig::verify_peer },
  { "-expect-verify-result", &TestConfig::expect_verify_result },
  { "-renegotiate-freely", &TestConfig::renegotiate_freely },
  { "-p384-only", &TestConfig::p384_only },
  { "-enable-all-curves", &TestConfig::enable_all_curves },
  { "-use-sparse-dh-prime", &TestConfig::use_sparse_dh_prime },
  { "-use-old-client-cert-callback",
    &TestConfig::use_old_client_cert_callback },
  { "-use-null-client-ca-list", &TestConfig::use_null_client_ca_list },
  { "-peek-then-read", &TestConfig::peek_then_read },
 };
 const Flag<std::string> kStringFlags[] = {
  { "-key-file", &TestConfig::key_file },
  { "-cert-file", &TestConfig::cert_file },
  { "-expect-server-name", &TestConfig::expected_server_name },
  { "-advertise-npn", &TestConfig::advertise_npn },
  { "-expect-next-proto", &TestConfig::expected_next_proto },
  { "-select-next-proto", &TestConfig::select_next_proto },
  { "-host-name", &TestConfig::host_name },
  { "-advertise-alpn", &TestConfig::advertise_alpn },
  { "-expect-alpn", &TestConfig::expected_alpn },
  { "-expect-advertised-alpn", &TestConfig::expected_advertised_alpn },
  { "-select-alpn", &TestConfig::select_alpn },
  { "-psk", &TestConfig::psk },
  { "-psk-identity", &TestConfig::psk_identity },
  { "-srtp-profiles", &TestConfig::srtp_profiles },
  { "-cipher", &TestConfig::cipher },
  { "-export-label", &TestConfig::export_label },
  { "-export-context", &TestConfig::export_context },
 };
 const Flag<std::string> kBase64Flags[] = {
  { "-expect-certificate-types", &TestConfig::expected_certificate_types },
 };
 const Flag<int> kIntFlags[] = {
  { "-port", &TestConfig::port },
  { "-resume-count", &TestConfig::resume_count },
  { "-min-version", &TestConfig::min_version },
  { "-max-version", &TestConfig::max_version },
  { "-mtu", &TestConfig::mtu },
  { "-export-keying-material", &TestConfig::export_keying_material },
  { "-expect-total-renegotiations", &TestConfig::expect_total_renegotiations },
  { "-max-cert-list", &TestConfig::max_cert_list },
 };
 }  // namespace
 bool ParseConfig(int argc, char **argv, TestConfig *out_config) {
  for (int i = 0; i < argc; i++) {
    bool *bool_field = FindField(out_config, kBoolFlags, argv[i]);
    if (bool_field != NULL) {
      *bool_field = true;
      continue;
    }
    std::string *string_field = FindField(out_config, kStringFlags, argv[i]);
    if (string_field != NULL) {
      const char *val;
      i++;
      if (i >= argc) {
        fprintf(stderr, "Missing parameter\n");
        return false;
      }
      /*
       * Fix up the -cipher argument. runner uses "DEFAULT:NULL-SHA" to enable
       * the NULL-SHA cipher. However in OpenSSL "DEFAULT" permanently switches
       * off NULL ciphers, so we use "ALL:NULL-SHA" instead.
       */
      if (strcmp(argv[i - 1], "-cipher") == 0
          && strcmp(argv[i], "DEFAULT:NULL-SHA") == 0)
        val = "ALL:NULL-SHA";
      else
        val = argv[i];
      string_field->assign(val);
      continue;
    }
    std::string *base64_field = FindField(out_config, kBase64Flags, argv[i]);
    if (base64_field != NULL) {
      i++;
      if (i >= argc) {
        fprintf(stderr, "Missing parameter\n");
        return false;
      }
      std::unique_ptr<uint8_t[]> decoded(new uint8_t[strlen(argv[i])]);
      int len = EVP_DecodeBlock(decoded.get(),
                                reinterpret_cast<const uint8_t *>(argv[i]),
                                strlen(argv[i]));
      if (len < 0) {
        fprintf(stderr, "Invalid base64: %s\n", argv[i]);
        return false;
      }
      base64_field->assign(reinterpret_cast<const char *>(decoded.get()), len);
      continue;
    }
    int *int_field = FindField(out_config, kIntFlags, argv[i]);
    if (int_field) {
      i++;
      if (i >= argc) {
        fprintf(stderr, "Missing parameter\n");
        return false;
      }
      *int_field = atoi(argv[i]);
      continue;
    }
    fprintf(stderr, "Unknown argument: %s\n", argv[i]);
    exit(89);
    return false;
  }
  return true;
 }
--- a/test/ossl_shim/test_config.h
+++ b/test/ossl_shim/test_config.h
@ -1,90 +0,0 @@
 /*
 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */
 #ifndef OSSL_TEST_SHIM_TEST_CONFIG_H
 #define OSSL_TEST_SHIM_TEST_CONFIG_H
 #include <string>
 #include <vector>
 #include <openssl/configuration.h>
 struct TestConfig {
  int port = 0;
  bool is_server = false;
  bool is_dtls = false;
  int resume_count = 0;
  bool fallback_scsv = false;
  std::string key_file;
  std::string cert_file;
  std::string expected_server_name;
  std::string expected_certificate_types;
  bool require_any_client_certificate = false;
  std::string advertise_npn;
  std::string expected_next_proto;
  std::string select_next_proto;
  bool async = false;
  bool write_different_record_sizes = false;
  bool partial_write = false;
  bool no_tls13 = false;
  bool no_tls12 = false;
  bool no_tls11 = false;
  bool no_tls1 = false;
  bool no_ssl3 = false;
  bool shim_writes_first = false;
  std::string host_name;
  std::string advertise_alpn;
  std::string expected_alpn;
  std::string expected_advertised_alpn;
  std::string select_alpn;
  bool decline_alpn = false;
  bool expect_session_miss = false;
  bool expect_extended_master_secret = false;
  std::string psk;
  std::string psk_identity;
  std::string srtp_profiles;
  int min_version = 0;
  int max_version = 0;
  int mtu = 0;
  bool implicit_handshake = false;
  std::string cipher;
  bool handshake_never_done = false;
  int export_keying_material = 0;
  std::string export_label;
  std::string export_context;
  bool use_export_context = false;
  bool expect_ticket_renewal = false;
  bool expect_no_session = false;
  bool use_ticket_callback = false;
  bool renew_ticket = false;
  bool enable_client_custom_extension = false;
  bool enable_server_custom_extension = false;
  bool custom_extension_skip = false;
  bool custom_extension_fail_add = false;
  bool check_close_notify = false;
  bool shim_shuts_down = false;
  bool verify_fail = false;
  bool verify_peer = false;
  bool expect_verify_result = false;
  int expect_total_renegotiations = 0;
  bool renegotiate_freely = false;
  bool p384_only = false;
  bool enable_all_curves = false;
  bool use_sparse_dh_prime = false;
  bool use_old_client_cert_callback = false;
  bool use_null_client_ca_list = false;
  bool peek_then_read = false;
  int max_cert_list = 0;
 };
 bool ParseConfig(int argc, char **argv, TestConfig *out_config);
 #endif  // OSSL_TEST_SHIM_TEST_CONFIG_H
--- a/test/recipes/95-test_external_boringssl.t
+++ b/test/recipes/95-test_external_boringssl.t
@ -1,30 +0,0 @@
 #! /usr/bin/env perl
 # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
 # in the file LICENSE in the source distribution or at
 # https://www.openssl.org/source/license.html
 use OpenSSL::Test;
 use OpenSSL::Test::Utils;
 use OpenSSL::Test qw/:DEFAULT bldtop_file srctop_file cmdstr/;
 setup("test_external_boringssl");
 plan skip_all => "No external tests in this configuration"
    if disabled("external-tests");
 plan skip_all => "BoringSSL runner not detected"
    if !$ENV{BORING_RUNNER_DIR};
 plan tests => 1;
 indir $ENV{BORING_RUNNER_DIR} => sub {
    ok(run(cmd(["go", "test", "-shim-path",
                bldtop_file("test", "ossl_shim", "ossl_shim"),
                "-shim-config",
                srctop_file("test", "ossl_shim", "ossl_config.json"),
                "-pipe", "-allow-unimplemented"]), prefix => "go test: "),
       "running BoringSSL tests");
 }, create => 0, cleanup => 0;
		`@ -1 +0,0 @@`
			`Subproject commit 2070f8ad9151dc8f3a73bffaa146b5e6937a583f`