[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Thu Nov 10 15:53:22 UTC 2016 

The branch master has been updated
       via  b4eee58a5f9dfa493d6cc34b4af871415c67beda (commit)
      from  10b0b5ecd93097179a2b13a7d34e0ab580d23fa2 (commit)


- Log -----------------------------------------------------------------
commit b4eee58a5f9dfa493d6cc34b4af871415c67beda
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Nov 10 15:35:42 2016 +0000

    Fix test_sslcorrupt when using TLSv1.3
    
    The test loops through all the ciphers, attempting to test each one in turn.
    However version negotiation happens before cipher selection, so with TLSv1.3
    switched on if we use a non-TLSv1.3 compatible cipher suite we get "no
    share cipher".
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 test/sslcorrupttest.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/test/sslcorrupttest.c b/test/sslcorrupttest.c
index 34ac8f7..f07cfce 100644
--- a/test/sslcorrupttest.c
+++ b/test/sslcorrupttest.c
@@ -7,6 +7,7 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include <string.h>
 #include "ssltestlib.h"
 #include "testutil.h"
 
@@ -182,6 +183,8 @@ static int test_ssl_corrupt(int testidx)
     BIO *c_to_s_fbio;
     int testresult = 0;
     static unsigned char junk[16000] = { 0 };
+    STACK_OF(SSL_CIPHER) *ciphers;
+    const SSL_CIPHER *currcipher;
 
     printf("Starting Test %d, %s\n", testidx, cipher_list[testidx]);
 
@@ -196,6 +199,29 @@ static int test_ssl_corrupt(int testidx)
         goto end;
     }
 
+    ciphers = SSL_CTX_get_ciphers(cctx);
+    if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) != 1) {
+        printf("Unexpected ciphers set\n");
+        goto end;
+    }
+    currcipher = sk_SSL_CIPHER_value(ciphers, 0);
+    if (currcipher == NULL) {
+        printf("Failed getting the current cipher\n");
+        goto end;
+    }
+
+    /*
+     * If we haven't got a TLSv1.3 cipher, then we mustn't attempt to use
+     * TLSv1.3. Version negotiation happens before cipher selection, so we will
+     * get a "no shared cipher" error.
+     */
+    if (strcmp(SSL_CIPHER_get_version(currcipher), "TLSv1.3") != 0) {
+        if (!SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION)) {
+            printf("Failed setting max protocol version\n");
+            goto end;
+        }
+    }
+
     c_to_s_fbio = BIO_new(bio_f_tls_corrupt_filter());
     if (c_to_s_fbio == NULL) {
         printf("Failed to create filter BIO\n");

More information about the openssl-commits mailing list