[openssl-commits] [openssl] master update
kaduk at mit.edu
kaduk at mit.edu
Fri Dec 8 15:16:44 UTC 2017
The branch master has been updated
via 5f21b440681db5aecf29fbd930d1d8c912fc99b4 (commit)
via cb091295a9ff16f4de1a8b00be444d40ac068d04 (commit)
via 88e09fe79b909fbfe266e87a2731f96c197726fb (commit)
via b6306d8049b04dca7fa738a86c892c43ba6a5fc4 (commit)
from 0488c0bbbe87eee3a800797b91350c653e9f1711 (commit)
- Log -----------------------------------------------------------------
commit 5f21b440681db5aecf29fbd930d1d8c912fc99b4
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date: Thu Dec 7 16:45:47 2017 -0600
Fix test_tls13messages with no-ocsp
s_client -status is not available in this configuration.
While here, remove an outdated TODO(TLS1.3) comment.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4873)
commit cb091295a9ff16f4de1a8b00be444d40ac068d04
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date: Thu Dec 7 16:37:54 2017 -0600
Wrap more of ocspapitest.c in OPENSSL_NO_OCSP
make_dummy_resp() uses OCSP types, and get_cert_and_key() is unused
once make_dummy_resp() is compiled out, so neither can be included
in the build when OCSP is disabled and strict warnings are active.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4873)
commit 88e09fe79b909fbfe266e87a2731f96c197726fb
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date: Thu Dec 7 14:23:35 2017 -0600
Fix coverity nit in handshake_helper.c
There's no reason to wrap this call in TEST_true() if we're not
checking the return value of TEST_true() -- all of the surrounding
similar calls do not have the macro wrapping them.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4873)
commit b6306d8049b04dca7fa738a86c892c43ba6a5fc4
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date: Thu Dec 7 14:14:47 2017 -0600
Fix coverity-reported errors in ocspapitest
Avoid memory leaks in error paths, and correctly apply
parentheses to function calls in a long if-chain.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4873)
-----------------------------------------------------------------------
Summary of changes:
test/handshake_helper.c | 4 +--
test/ocspapitest.c | 36 ++++++++++++---------
test/recipes/70-test_tls13messages.t | 61 ++++++++++++++++++------------------
3 files changed, 55 insertions(+), 46 deletions(-)
diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index 78eaa01..0add973 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -497,8 +497,8 @@ static int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
case TLSEXT_max_fragment_length_2048:
case TLSEXT_max_fragment_length_4096:
case TLSEXT_max_fragment_length_DISABLED:
- TEST_true(SSL_CTX_set_tlsext_max_fragment_length(
- client_ctx, extra->client.max_fragment_len_mode));
+ SSL_CTX_set_tlsext_max_fragment_length(
+ client_ctx, extra->client.max_fragment_len_mode);
break;
}
diff --git a/test/ocspapitest.c b/test/ocspapitest.c
index e76f7243..43b03e3 100644
--- a/test/ocspapitest.c
+++ b/test/ocspapitest.c
@@ -21,6 +21,7 @@
static const char *certstr;
static const char *privkeystr;
+#ifndef OPENSSL_NO_OCSP
static int get_cert_and_key(X509 **cert_out, EVP_PKEY **key_out)
{
BIO *certbio, *keybio;
@@ -51,7 +52,8 @@ static OCSP_BASICRESP *make_dummy_resp(void)
const unsigned char namestr[] = "openssl.example.com";
unsigned char keybytes[128] = {7};
OCSP_BASICRESP *bs = OCSP_BASICRESP_new();
- OCSP_CERTID *cid;
+ OCSP_BASICRESP *bs_out = NULL;
+ OCSP_CERTID *cid = NULL;
ASN1_TIME *thisupd = ASN1_TIME_set(NULL, time(NULL));
ASN1_TIME *nextupd = ASN1_TIME_set(NULL, time(NULL) + 200);
X509_NAME *name = X509_NAME_new();
@@ -60,9 +62,9 @@ static OCSP_BASICRESP *make_dummy_resp(void)
if (!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC,
namestr, -1, -1, 1)
- || !ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes)
- || !ASN1_INTEGER_set_uint64(serial, (uint64_t)1)))
- return NULL;
+ || !ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes))
+ || !ASN1_INTEGER_set_uint64(serial, (uint64_t)1))
+ goto err;
cid = OCSP_cert_id_new(EVP_sha256(), name, key, serial);
if (!TEST_ptr(bs)
|| !TEST_ptr(thisupd)
@@ -71,23 +73,27 @@ static OCSP_BASICRESP *make_dummy_resp(void)
|| !TEST_true(OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL, thisupd, nextupd)))
- return NULL;
+ goto err;
+ bs_out = bs;
+ bs = NULL;
+ err:
ASN1_TIME_free(thisupd);
ASN1_TIME_free(nextupd);
ASN1_BIT_STRING_free(key);
ASN1_INTEGER_free(serial);
OCSP_CERTID_free(cid);
+ OCSP_BASICRESP_free(bs);
X509_NAME_free(name);
- return bs;
+ return bs_out;
}
-#ifndef OPENSSL_NO_OCSP
static int test_resp_signer(void)
{
- OCSP_BASICRESP *bs;
+ OCSP_BASICRESP *bs = NULL;
X509 *signer = NULL, *tmp;
EVP_PKEY *key = NULL;
- STACK_OF(X509) *extra_certs;
+ STACK_OF(X509) *extra_certs = NULL;
+ int ret = 0;
/*
* Test a response with no certs at all; get the signer from the
@@ -101,10 +107,10 @@ static int test_resp_signer(void)
|| !TEST_true(sk_X509_push(extra_certs, signer))
|| !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
NULL, OCSP_NOCERTS)))
- return 0;
+ goto err;
if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, extra_certs))
|| !TEST_int_eq(X509_cmp(tmp, signer), 0))
- return 0;
+ goto err;
OCSP_BASICRESP_free(bs);
/* Do it again but include the signer cert */
@@ -113,15 +119,17 @@ static int test_resp_signer(void)
if (!TEST_ptr(bs)
|| !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
NULL, 0)))
- return 0;
+ goto err;
if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, NULL))
|| !TEST_int_eq(X509_cmp(tmp, signer), 0))
- return 0;
+ goto err;
+ ret = 1;
+ err:
OCSP_BASICRESP_free(bs);
sk_X509_free(extra_certs);
X509_free(signer);
EVP_PKEY_free(key);
- return 1;
+ return ret;
}
#endif
diff --git a/test/recipes/70-test_tls13messages.t b/test/recipes/70-test_tls13messages.t
index aaecbd3..5bd2a96 100644
--- a/test/recipes/70-test_tls13messages.t
+++ b/test/recipes/70-test_tls13messages.t
@@ -170,38 +170,39 @@ checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE,
| checkhandshake::PSK_SRV_EXTENSION),
"Resumption handshake test");
-#Test 3: A status_request handshake (client request only)
-$proxy->clear();
-$proxy->clientflags("-status");
-$proxy->start();
-checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
- checkhandshake::DEFAULT_EXTENSIONS
- | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
- "status_request handshake test (client)");
+SKIP: {
+ skip "No OCSP support in this OpenSSL build", 3
+ if disabled("ct") || disabled("ec") || disabled("ocsp");
+ #Test 3: A status_request handshake (client request only)
+ $proxy->clear();
+ $proxy->clientflags("-status");
+ $proxy->start();
+ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
+ checkhandshake::DEFAULT_EXTENSIONS
+ | checkhandshake::STATUS_REQUEST_CLI_EXTENSION,
+ "status_request handshake test (client)");
-#Test 4: A status_request handshake (server support only)
-$proxy->clear();
-$proxy->serverflags("-status_file "
- .srctop_file("test", "recipes", "ocsp-response.der"));
-$proxy->start();
-checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
- checkhandshake::DEFAULT_EXTENSIONS,
- "status_request handshake test (server)");
+ #Test 4: A status_request handshake (server support only)
+ $proxy->clear();
+ $proxy->serverflags("-status_file "
+ .srctop_file("test", "recipes", "ocsp-response.der"));
+ $proxy->start();
+ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
+ checkhandshake::DEFAULT_EXTENSIONS,
+ "status_request handshake test (server)");
-#Test 5: A status_request handshake (client and server)
-#TODO(TLS1.3): TLS1.3 doesn't actually have CertificateStatus messages. This is
-#a temporary test until such time as we do proper TLS1.3 style certificate
-#status
-$proxy->clear();
-$proxy->clientflags("-status");
-$proxy->serverflags("-status_file "
- .srctop_file("test", "recipes", "ocsp-response.der"));
-$proxy->start();
-checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
- checkhandshake::DEFAULT_EXTENSIONS
- | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
- | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
- "status_request handshake test");
+ #Test 5: A status_request handshake (client and server)
+ $proxy->clear();
+ $proxy->clientflags("-status");
+ $proxy->serverflags("-status_file "
+ .srctop_file("test", "recipes", "ocsp-response.der"));
+ $proxy->start();
+ checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE,
+ checkhandshake::DEFAULT_EXTENSIONS
+ | checkhandshake::STATUS_REQUEST_CLI_EXTENSION
+ | checkhandshake::STATUS_REQUEST_SRV_EXTENSION,
+ "status_request handshake test");
+}
#Test 6: A client auth handshake
$proxy->clear();
More information about the openssl-commits
mailing list