[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Tue Nov 29 22:53:20 UTC 2016 

The branch master has been updated
       via  54d028aa0f5dc50ec64a8d99ed43b81519b0443b (commit)
      from  5bdcd362d24cbbcf18c5eb9df655fe9f7bcf5850 (commit)


- Log -----------------------------------------------------------------
commit 54d028aa0f5dc50ec64a8d99ed43b81519b0443b
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Nov 29 09:49:04 2016 +0000

    Fix mac-then-encrypt test with enable-tls1_3
    
    Commit b3618f44 added a test for mac-then-encrypt. However the test fails
    when running with "enable-tls1_3". The problem is that the test creates a
    connection, which ends up being TLSv1.3. However it also restricts the
    ciphers to a single mac-then-encrypt ciphersuite that is not TLSv1.3
    compatible so the connection aborts and the test fails. Mac-then-encrypt
    is not relevant to TLSv1.3, so the test should disable that protocol
    version.
    
    Reviewed-by: Emilia Käsper <emilia at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 test/recipes/80-test_ssl_new.t             | 3 +++
 test/ssl-tests/19-mac-then-encrypt.conf    | 6 ++++++
 test/ssl-tests/19-mac-then-encrypt.conf.in | 6 ++++++
 3 files changed, 15 insertions(+)

diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index de94495..7b624ac 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -39,7 +39,9 @@ my $is_default_tls = (disabled("ssl3") && !disabled("tls1") &&
 
 my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2"));
 
+my @all_pre_tls1_3 = ("ssl3", "tls1", "tls1_1", "tls1_2");
 my $no_tls = alldisabled(available_protocols("tls"));
+my $no_pre_tls1_3 = alldisabled(@all_pre_tls1_3);
 my $no_dtls = alldisabled(available_protocols("dtls"));
 my $no_npn = disabled("nextprotoneg");
 my $no_ct = disabled("ct");
@@ -76,6 +78,7 @@ my %skip = (
   "15-certstatus.conf" => $no_tls || $no_ocsp,
   "16-dtls-certstatus.conf" => $no_dtls || $no_ocsp,
   "18-dtls-renegotiate.conf" => $no_dtls,
+  "19-mac-then-encrypt.conf" => $no_pre_tls1_3
 );
 
 foreach my $conf (@conf_files) {
diff --git a/test/ssl-tests/19-mac-then-encrypt.conf b/test/ssl-tests/19-mac-then-encrypt.conf
index 40480ed..bba44d1 100644
--- a/test/ssl-tests/19-mac-then-encrypt.conf
+++ b/test/ssl-tests/19-mac-then-encrypt.conf
@@ -25,6 +25,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [0-disable-encrypt-then-mac-server-sha-client]
 CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -48,6 +49,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [1-disable-encrypt-then-mac-client-sha-client]
 CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
 Options = -EncryptThenMac
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
@@ -73,6 +75,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [2-disable-encrypt-then-mac-both-sha-client]
 CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
 Options = -EncryptThenMac
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
@@ -93,6 +96,7 @@ client = 3-disable-encrypt-then-mac-server-sha2-client
 [3-disable-encrypt-then-mac-server-sha2-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
+MaxProtocol = TLSv1.2
 Options = -EncryptThenMac
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
@@ -121,6 +125,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [4-disable-encrypt-then-mac-client-sha2-client]
 CipherString = AES128-SHA256
+MaxProtocol = TLSv1.2
 Options = -EncryptThenMac
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
@@ -146,6 +151,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [5-disable-encrypt-then-mac-both-sha2-client]
 CipherString = AES128-SHA256
+MaxProtocol = TLSv1.2
 Options = -EncryptThenMac
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
diff --git a/test/ssl-tests/19-mac-then-encrypt.conf.in b/test/ssl-tests/19-mac-then-encrypt.conf.in
index 01afe25..096423b 100644
--- a/test/ssl-tests/19-mac-then-encrypt.conf.in
+++ b/test/ssl-tests/19-mac-then-encrypt.conf.in
@@ -19,6 +19,7 @@ our @tests = (
         },
         client => {
           "CipherString" => "AES128-SHA",
+          "MaxProtocol" => "TLSv1.2"
         },
         test   => {
           "ExpectedResult" => "Success",
@@ -31,6 +32,7 @@ our @tests = (
         client => {
           "CipherString" => "AES128-SHA",
           "Options" => "-EncryptThenMac",
+          "MaxProtocol" => "TLSv1.2"
         },
         test   => {
           "ExpectedResult" => "Success",
@@ -44,6 +46,7 @@ our @tests = (
         client => {
           "CipherString" => "AES128-SHA",
           "Options" => "-EncryptThenMac",
+          "MaxProtocol" => "TLSv1.2"
         },
         test   => {
           "ExpectedResult" => "Success",
@@ -53,6 +56,7 @@ our @tests = (
         name => "disable-encrypt-then-mac-server-sha2",
         server => {
           "Options" => "-EncryptThenMac",
+          "MaxProtocol" => "TLSv1.2"
         },
         client => {
           "CipherString" => "AES128-SHA256",
@@ -68,6 +72,7 @@ our @tests = (
         client => {
           "CipherString" => "AES128-SHA256",
           "Options" => "-EncryptThenMac",
+          "MaxProtocol" => "TLSv1.2"
         },
         test   => {
           "ExpectedResult" => "Success",
@@ -81,6 +86,7 @@ our @tests = (
         client => {
           "CipherString" => "AES128-SHA256",
           "Options" => "-EncryptThenMac",
+          "MaxProtocol" => "TLSv1.2"
         },
         test   => {
           "ExpectedResult" => "Success",

More information about the openssl-commits mailing list