[openssl-commits] [openssl] master update

Richard Levitte levitte at openssl.org
Thu Dec 29 14:45:03 UTC 2016 

The branch master has been updated
       via  2ed4c5714946a8d0285905d0fc98663bb785eb83 (commit)
       via  ac6eb1529349e3daf69c686c9a9f778a15fda592 (commit)
       via  7638e378465433ecfc4333ef3033e59c77cb0006 (commit)
       via  f6e752c0ac2e1ba8bcecc27bc54e30b895e0a1d3 (commit)
      from  0a6793c942b525124990847b50ee18c7dc3359d4 (commit)


- Log -----------------------------------------------------------------
commit 2ed4c5714946a8d0285905d0fc98663bb785eb83
Author: Richard Levitte <levitte at openssl.org>
Date:   Thu Dec 29 13:15:13 2016 +0100

    70-test_sslvertol.t: skip test 1 and 2 if too few protocols are enabled
    
    These tests depend on there being at least one protocol version below
    TLSv1.3 enabled.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2144)

commit ac6eb1529349e3daf69c686c9a9f778a15fda592
Author: Richard Levitte <levitte at openssl.org>
Date:   Sun Dec 25 17:57:32 2016 +0100

    80-test_ssl_new.t: Make 19-mac-then-encrypt.conf work without TLSv1.2
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2144)

commit 7638e378465433ecfc4333ef3033e59c77cb0006
Author: Richard Levitte <levitte at openssl.org>
Date:   Sun Dec 25 17:56:52 2016 +0100

    70-test_sslvertol.t: Make sure to check a max TLS version that matches configuration
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2144)

commit f6e752c0ac2e1ba8bcecc27bc54e30b895e0a1d3
Author: Richard Levitte <levitte at openssl.org>
Date:   Sun Dec 25 17:55:57 2016 +0100

    70-test_sslmessages.t: Don't check EXT_SIG_ALGS if TLS 1.2 is disabled
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2144)

-----------------------------------------------------------------------

Summary of changes:
 test/recipes/70-test_sslmessages.t         |  5 +-
 test/recipes/70-test_sslvertol.t           | 87 ++++++++++++++++++++++++------
 test/recipes/80-test_ssl_new.t             |  3 +-
 test/ssl-tests/19-mac-then-encrypt.conf.in |  7 +++
 4 files changed, 83 insertions(+), 19 deletions(-)

diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t
index 48a2708..9221529 100755
--- a/test/recipes/70-test_sslmessages.t
+++ b/test/recipes/70-test_sslmessages.t
@@ -105,8 +105,9 @@ my $proxy = TLSProxy::Proxy->new(
                       [TLSProxy::Message::MT_CLIENT_HELLO,
                        TLSProxy::Message::EXT_EC_POINT_FORMATS,
                        checkhandshake::DEFAULT_EXTENSIONS]),
-    [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
-        checkhandshake::DEFAULT_EXTENSIONS],
+    (disabled("tls1_2") ? () :
+     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
+         checkhandshake::DEFAULT_EXTENSIONS]),
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_ALPN,
         checkhandshake::ALPN_CLI_EXTENSION],
     [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SCT,
diff --git a/test/recipes/70-test_sslvertol.t b/test/recipes/70-test_sslvertol.t
index 108166f..a834043 100755
--- a/test/recipes/70-test_sslvertol.t
+++ b/test/recipes/70-test_sslvertol.t
@@ -34,33 +34,75 @@ my $proxy = TLSProxy::Proxy->new(
     (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
 );
 
+my @available_tls_versions = ();
+foreach (available_protocols("tls")) {
+    unless (disabled($_)) {
+        note("Checking enabled protocol $_");
+        m|^([a-z]+)(\d)(_\d)?|;
+        my $versionname;
+        if (defined $3) {
+            $versionname = 'TLSProxy::Record::VERS_'.uc($1).'_'.$2.$3;
+            note("'$1', '$2', '$3' => $versionname");
+        } else {
+            $versionname = 'TLSProxy::Record::VERS_'.uc($1).'_'.$2.'_0';
+            note("'$1', '$2' => $versionname");
+        }
+        push @available_tls_versions, eval $versionname;
+    }
+}
+note("TLS versions we can expect: ", join(", ", @available_tls_versions));
+
 #This file does tests without the supported_versions extension.
 #See 70-test_sslversions.t for tests with supported versions.
-#Test 1: Asking for TLS1.4 should pass and negotiate TLS1.2
+
+#Test 1: Asking for TLS1.4 should pass and negotiate the maximum
+#available TLS version according to configuration below TLS1.3
 my $client_version = TLSProxy::Record::VERS_TLS_1_4;
+my $previous_version = tls_version_below(TLSProxy::Record::VERS_TLS_1_3);
 $proxy->clientflags("-no_tls1_3");
 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
 plan tests => 3;
-my $record = pop @{$proxy->record_list};
-ok(TLSProxy::Message->success()
-   && $record->version() == TLSProxy::Record::VERS_TLS_1_2,
-   "Version tolerance test, TLS 1.4");
+SKIP: {
+    skip "There are too few protocols enabled for test 1", 1
+        unless defined $previous_version;
 
-#Test 2: Asking for TLS1.3 should succeed and negotiate TLS1.2
-$proxy->clear();
-$proxy->clientflags("-no_tls1_3");
-$proxy->start();
-$record = pop @{$proxy->record_list};
-ok(TLSProxy::Message->success()
-   && $record->version() == TLSProxy::Record::VERS_TLS_1_2,
-   "Version tolerance test, TLS 1.3");
+    my $record = pop @{$proxy->record_list};
+    ok((note("Record version received: ".$record->version()),
+        TLSProxy::Message->success())
+       && $record->version() == $previous_version,
+       "Version tolerance test, below TLS 1.4 and not TLS 1.3");
+}
 
-#Test 3: Testing something below SSLv3 should fail
+#Test 2: Asking for TLS1.3 with that disabled should succeed and negotiate
+#the highest configured TLS version below that.
+$client_version = TLSProxy::Record::VERS_TLS_1_3;
+$previous_version = tls_version_below($client_version);
+SKIP: {
+    skip "There are too few protocols enabled for test 2", 1
+        unless defined $previous_version;
+
+    $proxy->clear();
+    $proxy->clientflags("-no_tls1_3");
+    $proxy->start();
+    my $record = pop @{$proxy->record_list};
+    ok((note("Record version received: ".$record->version()),
+        TLSProxy::Message->success())
+       && $record->version() == $previous_version,
+       "Version tolerance test, max version but not TLS 1.3");
+}
+
+#Test 3: Testing something below SSLv3 should fail.  We must disable TLS 1.3
+#to avoid having the 'supported_versions' extension kick in and override our
+#desires.
 $client_version = TLSProxy::Record::VERS_SSL_3_0 - 1;
 $proxy->clear();
 $proxy->clientflags("-no_tls1_3");
 $proxy->start();
-ok(TLSProxy::Message->fail(), "Version tolerance test, SSL < 3.0");
+my $record = pop @{$proxy->record_list};
+ok((note("Record version received: ".
+         (defined $record ? $record->version() : "none")),
+    TLSProxy::Message->fail()),
+   "Version tolerance test, SSL < 3.0");
 
 sub vers_tolerance_filter
 {
@@ -74,10 +116,23 @@ sub vers_tolerance_filter
     foreach my $message (@{$proxy->message_list}) {
         if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
             #Set the client version
-            #Anything above the max supported version (TLS1.2) should succeed
+            #Anything above the max supported version should succeed
             #Anything below SSLv3 should fail
             $message->client_version($client_version);
             $message->repack();
         }
     }
 }
+
+sub tls_version_below {
+    if (@_) {
+        my $term = shift;
+        my $res = undef;
+
+        foreach (@available_tls_versions) {
+            $res = $_ if $_ < $term;
+        }
+        return $res;
+    }
+    return $available_tls_versions[-1];
+}
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index 7b624ac..08ee494 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -57,6 +57,7 @@ my %conf_dependent_tests = (
   "07-dtls-protocol-version.conf" => !$is_default_dtls,
   "10-resumption.conf" => !$is_default_tls,
   "11-dtls_resumption.conf" => !$is_default_dtls,
+  "19-mac-then-encrypt.conf" => !$is_default_tls,
 );
 
 # Add your test here if it should be skipped for some compile-time
@@ -78,7 +79,7 @@ my %skip = (
   "15-certstatus.conf" => $no_tls || $no_ocsp,
   "16-dtls-certstatus.conf" => $no_dtls || $no_ocsp,
   "18-dtls-renegotiate.conf" => $no_dtls,
-  "19-mac-then-encrypt.conf" => $no_pre_tls1_3
+  "19-mac-then-encrypt.conf" => $no_pre_tls1_3,
 );
 
 foreach my $conf (@conf_files) {
diff --git a/test/ssl-tests/19-mac-then-encrypt.conf.in b/test/ssl-tests/19-mac-then-encrypt.conf.in
index 096423b..d51cfa3 100644
--- a/test/ssl-tests/19-mac-then-encrypt.conf.in
+++ b/test/ssl-tests/19-mac-then-encrypt.conf.in
@@ -11,6 +11,8 @@
 
 package ssltests;
 
+use OpenSSL::Test::Utils;
+
 our @tests = (
     {
         name => "disable-encrypt-then-mac-server-sha",
@@ -52,6 +54,9 @@ our @tests = (
           "ExpectedResult" => "Success",
         },
     },
+);
+
+my @tests_tls1_2 = (
     {
         name => "disable-encrypt-then-mac-server-sha2",
         server => {
@@ -93,3 +98,5 @@ our @tests = (
         },
     },
 );
+
+push @tests, @tests_tls1_2 unless disabled("tls1_2");

More information about the openssl-commits mailing list