[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Matt Caswell
matt at openssl.org
Mon Jan 23 14:16:21 UTC 2017
The branch OpenSSL_1_1_0-stable has been updated
via c4fec137617c2002f6f8a76981a47ab79908f628 (commit)
via caa2427f0c743beb0f6d1736dc8c0e4e551a0e1f (commit)
via 8a72eafbeaef9df212675f4e0e169ce560b21f41 (commit)
via c25d172a5845824e225db91ef87c7f8d0ea803e6 (commit)
via f31917afc4fbc9061a1dc41f9a660dcb5537bf78 (commit)
via 4b684b54d6418727372200557b0386729e2ee8e5 (commit)
via 6bc3bcb34946933bf14c7d8df3cc646f5f977160 (commit)
from 7bd011d70e85b2fff2928e30adf6965d34af9f04 (commit)
- Log -----------------------------------------------------------------
commit c4fec137617c2002f6f8a76981a47ab79908f628
Author: Matt Caswell <matt at openssl.org>
Date: Tue Nov 22 16:55:35 2016 +0000
Extend the test_ssl_new renegotiation tests to include client auth
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1983)
commit caa2427f0c743beb0f6d1736dc8c0e4e551a0e1f
Author: Matt Caswell <matt at openssl.org>
Date: Tue Nov 22 16:54:28 2016 +0000
Stop server from expecting Certificate message when not requested
In a non client-auth renegotiation where the original handshake *was*
client auth, then the server will expect the client to send a Certificate
message anyway resulting in a connection failure.
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1983)
commit 8a72eafbeaef9df212675f4e0e169ce560b21f41
Author: Matt Caswell <matt at openssl.org>
Date: Tue Nov 22 16:39:27 2016 +0000
Stop client from sending Certificate message when not requested
In a non client-auth renegotiation where the original handshake *was*
client auth, then the client will send a Certificate message anyway
resulting in a connection failure.
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1983)
commit c25d172a5845824e225db91ef87c7f8d0ea803e6
Author: Matt Caswell <matt at openssl.org>
Date: Tue Nov 22 16:23:22 2016 +0000
Fix SSL_VERIFY_CLIENT_ONCE
The flag SSL_VERIFY_CLIENT_ONCE is documented as follows:
B<Server mode:> only request a client certificate on the initial TLS/SSL
handshake. Do not ask for a client certificate again in case of a
renegotiation. This flag must be used together with SSL_VERIFY_PEER.
B<Client mode:> ignored
But the implementation actually did nothing. After the server sends its
ServerKeyExchange message, the code was checking s->session->peer to see if
it is NULL. If it was set then it did not ask for another client
certificate. However s->session->peer will only be set in the event of a
resumption, but a ServerKeyExchange message is only sent in the event of a
full handshake (i.e. no resumption).
The documentation suggests that the original intention was for this to
have an effect on renegotiation, and resumption doesn't come into it.
The fix is to properly check for renegotiation, not whether there is already
a client certificate in the session.
As far as I can tell this has been broken for a *long* time.
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1983)
commit f31917afc4fbc9061a1dc41f9a660dcb5537bf78
Author: Matt Caswell <matt at openssl.org>
Date: Tue Nov 22 16:16:11 2016 +0000
Add a test to check messsages sent are the ones we expect
Repeat for various handshake types
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1983)
commit 4b684b54d6418727372200557b0386729e2ee8e5
Author: Matt Caswell <matt at openssl.org>
Date: Tue Nov 22 13:43:50 2016 +0000
Support renegotiation in TLSProxy
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1983)
commit 6bc3bcb34946933bf14c7d8df3cc646f5f977160
Author: Matt Caswell <matt at openssl.org>
Date: Tue Nov 22 16:16:23 2016 +0000
Fix a bug in TLSProxy where zero length messages were not being recorded
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1983)
-----------------------------------------------------------------------
Summary of changes:
ssl/statem/statem.c | 4 +-
ssl/statem/statem_srvr.c | 2 +-
test/recipes/70-test_sslmessages.t | 147 +++++++++++++++++++++++++++++
test/ssl-tests/17-renegotiate.conf | 68 ++++++++++++-
test/ssl-tests/17-renegotiate.conf.in | 39 ++++++++
test/ssl-tests/18-dtls-renegotiate.conf | 64 ++++++++++++-
test/ssl-tests/18-dtls-renegotiate.conf.in | 35 +++++++
util/TLSProxy/Message.pm | 2 +-
util/TLSProxy/Proxy.pm | 19 +++-
9 files changed, 374 insertions(+), 6 deletions(-)
create mode 100755 test/recipes/70-test_sslmessages.t
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
index caaf068..512f1e0 100644
--- a/ssl/statem/statem.c
+++ b/ssl/statem/statem.c
@@ -361,6 +361,8 @@ static int state_machine(SSL *s, int server)
*/
s->ctx->stats.sess_accept_renegotiate++;
}
+
+ s->s3->tmp.cert_request = 0;
} else {
s->ctx->stats.sess_connect++;
@@ -368,7 +370,7 @@ static int state_machine(SSL *s, int server)
memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
s->hit = 0;
- s->s3->tmp.cert_request = 0;
+ s->s3->tmp.cert_req = 0;
if (SSL_IS_DTLS(s)) {
st->use_timer = 1;
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 9327654..41215da 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -276,7 +276,7 @@ static int send_certificate_request(SSL *s)
* if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
* during re-negotiation:
*/
- && ((s->session->peer == NULL) ||
+ && (s->s3->tmp.finish_md_len == 0 ||
!(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
/*
* never request cert in anonymous ciphersuites (see
diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t
new file mode 100755
index 0000000..c4adf58
--- /dev/null
+++ b/test/recipes/70-test_sslmessages.t
@@ -0,0 +1,147 @@
+#! /usr/bin/env perl
+# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
+use OpenSSL::Test::Utils;
+use File::Temp qw(tempfile);
+use TLSProxy::Proxy;
+my $test_name = "test_tls13messages";
+setup($test_name);
+
+plan skip_all => "TLSProxy isn't usable on $^O"
+ if $^O =~ /^(VMS|MSWin32)$/;
+
+plan skip_all => "$test_name needs the dynamic engine feature enabled"
+ if disabled("engine") || disabled("dynamic-engine");
+
+plan skip_all => "$test_name needs the sock feature enabled"
+ if disabled("sock");
+
+plan skip_all => "$test_name needs TLS enabled"
+ if alldisabled(available_protocols("tls"));
+
+$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
+
+use constant {
+ DEFAULT_HANDSHAKE => 1,
+ OCSP_HANDSHAKE => 2,
+ RESUME_HANDSHAKE => 4,
+ CLIENT_AUTH_HANDSHAKE => 8,
+ RENEG_HANDSHAKE => 16,
+
+ ALL_HANDSHAKES => 31
+};
+
+my @handmessages = (
+ [TLSProxy::Message::MT_CLIENT_HELLO, ALL_HANDSHAKES],
+ [TLSProxy::Message::MT_SERVER_HELLO, ALL_HANDSHAKES],
+ [TLSProxy::Message::MT_CERTIFICATE, ALL_HANDSHAKES & ~RESUME_HANDSHAKE],
+ [TLSProxy::Message::MT_CERTIFICATE_STATUS, OCSP_HANDSHAKE],
+ #ServerKeyExchange handshakes not currently supported by TLSProxy
+ [TLSProxy::Message::MT_CERTIFICATE_REQUEST, CLIENT_AUTH_HANDSHAKE],
+ [TLSProxy::Message::MT_SERVER_HELLO_DONE, ALL_HANDSHAKES & ~RESUME_HANDSHAKE],
+ [TLSProxy::Message::MT_CERTIFICATE, CLIENT_AUTH_HANDSHAKE],
+ [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, ALL_HANDSHAKES & ~RESUME_HANDSHAKE],
+ [TLSProxy::Message::MT_CERTIFICATE_VERIFY, CLIENT_AUTH_HANDSHAKE],
+ [TLSProxy::Message::MT_FINISHED, ALL_HANDSHAKES],
+ [TLSProxy::Message::MT_NEW_SESSION_TICKET, ALL_HANDSHAKES & ~RESUME_HANDSHAKE],
+ [TLSProxy::Message::MT_FINISHED, ALL_HANDSHAKES],
+ [TLSProxy::Message::MT_CLIENT_HELLO, RENEG_HANDSHAKE],
+ [TLSProxy::Message::MT_SERVER_HELLO, RENEG_HANDSHAKE],
+ [TLSProxy::Message::MT_CERTIFICATE, RENEG_HANDSHAKE],
+ [TLSProxy::Message::MT_SERVER_HELLO_DONE, RENEG_HANDSHAKE],
+ [TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE, RENEG_HANDSHAKE],
+ [TLSProxy::Message::MT_FINISHED, RENEG_HANDSHAKE],
+ [TLSProxy::Message::MT_NEW_SESSION_TICKET, RENEG_HANDSHAKE],
+ [TLSProxy::Message::MT_FINISHED, RENEG_HANDSHAKE],
+ [0, 0]
+);
+
+my $proxy = TLSProxy::Proxy->new(
+ undef,
+ cmdstr(app(["openssl"]), display => 1),
+ srctop_file("apps", "server.pem"),
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+);
+
+sub checkmessages($$);
+
+#Test 1: Check we get all the right messages for a default handshake
+(undef, my $session) = tempfile();
+$proxy->serverconnects(2);
+$proxy->clientflags("-sess_out ".$session);
+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
+plan tests => 5;
+checkmessages(DEFAULT_HANDSHAKE, "Default handshake test");
+
+#Test 2: Resumption handshake
+$proxy->clearClient();
+$proxy->clientflags("-sess_in ".$session);
+$proxy->clientstart();
+checkmessages(RESUME_HANDSHAKE, "Resumption handshake test");
+unlink $session;
+
+#Test 3: A client auth handshake
+$proxy->clear();
+$proxy->clientflags("-cert ".srctop_file("apps", "server.pem"));
+$proxy->serverflags("-Verify 5");
+$proxy->start();
+checkmessages(CLIENT_AUTH_HANDSHAKE, "Client auth handshake test");
+
+#Test 4: A handshake with a renegotiation
+$proxy->clear();
+$proxy->reneg(1);
+$proxy->start();
+checkmessages(RENEG_HANDSHAKE, "Rengotiation handshake test");
+
+#Test 5: A handshake with a renegotiation and client auth
+$proxy->clear();
+$proxy->clientflags("-cert ".srctop_file("apps", "server.pem"));
+$proxy->serverflags("-Verify 5");
+$proxy->reneg(1);
+$proxy->start();
+checkmessages(RENEG_HANDSHAKE | CLIENT_AUTH_HANDSHAKE,
+ "Renogitation and client auth handshake test");
+
+sub checkmessages($$)
+{
+ my ($handtype, $testname) = @_;
+
+ subtest $testname => sub {
+ my $loop = 0;
+ my $numtests;
+
+ #First count the number of tests
+ for ($numtests = 0; $handmessages[$loop][1] != 0; $loop++) {
+ $numtests++ if (($handmessages[$loop][1] & $handtype) != 0);
+ }
+
+ plan tests => $numtests;
+
+ my $nextmess = 0;
+ my $message = undef;
+ for ($loop = 0; $handmessages[$loop][1] != 0; $loop++) {
+ next if (($handmessages[$loop][1] & $handtype) == 0);
+ if (scalar @{$proxy->message_list} > $nextmess) {
+ $message = ${$proxy->message_list}[$nextmess];
+ $nextmess++;
+ } else {
+ $message = undef;
+ }
+ if (!defined $message) {
+ fail("Message type check. Got nothing, expected "
+ .$handmessages[$loop][0]);
+ } else {
+ ok($message->mt == $handmessages[$loop][0],
+ "Message type check. Got ".$message->mt
+ .", expected ".$handmessages[$loop][0]);
+ }
+ }
+ }
+}
diff --git a/test/ssl-tests/17-renegotiate.conf b/test/ssl-tests/17-renegotiate.conf
index c47a956..fb9f97b 100644
--- a/test/ssl-tests/17-renegotiate.conf
+++ b/test/ssl-tests/17-renegotiate.conf
@@ -1,11 +1,13 @@
# Generated with generate_ssl_tests.pl
-num_tests = 4
+num_tests = 6
test-0 = 0-renegotiate-client-no-resume
test-1 = 1-renegotiate-client-resume
test-2 = 2-renegotiate-server-no-resume
test-3 = 3-renegotiate-server-resume
+test-4 = 4-renegotiate-client-auth-require
+test-5 = 5-renegotiate-client-auth-once
# ===========================================================
[0-renegotiate-client-no-resume]
@@ -112,3 +114,67 @@ Method = TLS
ResumptionExpected = Yes
+# ===========================================================
+
+[4-renegotiate-client-auth-require]
+ssl_conf = 4-renegotiate-client-auth-require-ssl
+
+[4-renegotiate-client-auth-require-ssl]
+server = 4-renegotiate-client-auth-require-server
+client = 4-renegotiate-client-auth-require-client
+
+[4-renegotiate-client-auth-require-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+Options = NoResumptionOnRenegotiation
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+[4-renegotiate-client-auth-require-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-4]
+ExpectedResult = Success
+HandshakeMode = RenegotiateServer
+Method = TLS
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[5-renegotiate-client-auth-once]
+ssl_conf = 5-renegotiate-client-auth-once-ssl
+
+[5-renegotiate-client-auth-once-ssl]
+server = 5-renegotiate-client-auth-once-server
+client = 5-renegotiate-client-auth-once-client
+
+[5-renegotiate-client-auth-once-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+Options = NoResumptionOnRenegotiation
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Once
+
+[5-renegotiate-client-auth-once-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-5]
+ExpectedResult = Success
+HandshakeMode = RenegotiateServer
+Method = TLS
+ResumptionExpected = No
+
+
diff --git a/test/ssl-tests/17-renegotiate.conf.in b/test/ssl-tests/17-renegotiate.conf.in
index a081617..104b1fe 100644
--- a/test/ssl-tests/17-renegotiate.conf.in
+++ b/test/ssl-tests/17-renegotiate.conf.in
@@ -14,6 +14,7 @@ use warnings;
package ssltests;
+my $dir_sep = $^O ne "VMS" ? "/" : "";
our @tests = (
{
@@ -64,4 +65,42 @@ our @tests = (
"ExpectedResult" => "Success"
}
},
+ {
+ name => "renegotiate-client-auth-require",
+ server => {
+ "Options" => "NoResumptionOnRenegotiation",
+ "MaxProtocol" => "TLSv1.2",
+ "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
+ "VerifyMode" => "Require",
+ },
+ client => {
+ "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
+ "PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem"
+ },
+ test => {
+ "Method" => "TLS",
+ "HandshakeMode" => "RenegotiateServer",
+ "ResumptionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ },
+ {
+ name => "renegotiate-client-auth-once",
+ server => {
+ "Options" => "NoResumptionOnRenegotiation",
+ "MaxProtocol" => "TLSv1.2",
+ "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
+ "VerifyMode" => "Once",
+ },
+ client => {
+ "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
+ "PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem"
+ },
+ test => {
+ "Method" => "TLS",
+ "HandshakeMode" => "RenegotiateServer",
+ "ResumptionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ }
);
diff --git a/test/ssl-tests/18-dtls-renegotiate.conf b/test/ssl-tests/18-dtls-renegotiate.conf
index 32eeaf0..fbde68a 100644
--- a/test/ssl-tests/18-dtls-renegotiate.conf
+++ b/test/ssl-tests/18-dtls-renegotiate.conf
@@ -1,10 +1,12 @@
# Generated with generate_ssl_tests.pl
-num_tests = 3
+num_tests = 5
test-0 = 0-renegotiate-client-no-resume
test-1 = 1-renegotiate-client-resume
test-2 = 2-renegotiate-server-resume
+test-3 = 3-renegotiate-client-auth-require
+test-4 = 4-renegotiate-client-auth-once
# ===========================================================
[0-renegotiate-client-no-resume]
@@ -84,3 +86,63 @@ Method = DTLS
ResumptionExpected = No
+# ===========================================================
+
+[3-renegotiate-client-auth-require]
+ssl_conf = 3-renegotiate-client-auth-require-ssl
+
+[3-renegotiate-client-auth-require-ssl]
+server = 3-renegotiate-client-auth-require-server
+client = 3-renegotiate-client-auth-require-client
+
+[3-renegotiate-client-auth-require-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Require
+
+[3-renegotiate-client-auth-require-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-3]
+ExpectedResult = Success
+HandshakeMode = RenegotiateServer
+Method = DTLS
+ResumptionExpected = No
+
+
+# ===========================================================
+
+[4-renegotiate-client-auth-once]
+ssl_conf = 4-renegotiate-client-auth-once-ssl
+
+[4-renegotiate-client-auth-once-ssl]
+server = 4-renegotiate-client-auth-once-server
+client = 4-renegotiate-client-auth-once-client
+
+[4-renegotiate-client-auth-once-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
+VerifyMode = Once
+
+[4-renegotiate-client-auth-once-client]
+Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-4]
+ExpectedResult = Success
+HandshakeMode = RenegotiateServer
+Method = DTLS
+ResumptionExpected = No
+
+
diff --git a/test/ssl-tests/18-dtls-renegotiate.conf.in b/test/ssl-tests/18-dtls-renegotiate.conf.in
index 440fb25..3f877f6 100644
--- a/test/ssl-tests/18-dtls-renegotiate.conf.in
+++ b/test/ssl-tests/18-dtls-renegotiate.conf.in
@@ -14,6 +14,7 @@ use warnings;
package ssltests;
+my $dir_sep = $^O ne "VMS" ? "/" : "";
our @tests = (
{
@@ -60,4 +61,38 @@ our @tests = (
"ExpectedResult" => "Success"
}
},
+ {
+ name => "renegotiate-client-auth-require",
+ server => {
+ "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
+ "VerifyMode" => "Require",
+ },
+ client => {
+ "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
+ "PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem"
+ },
+ test => {
+ "Method" => "DTLS",
+ "HandshakeMode" => "RenegotiateServer",
+ "ResumptionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ },
+ {
+ name => "renegotiate-client-auth-once",
+ server => {
+ "VerifyCAFile" => "\${ENV::TEST_CERTS_DIR}${dir_sep}root-cert.pem",
+ "VerifyMode" => "Once",
+ },
+ client => {
+ "Certificate" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-client-chain.pem",
+ "PrivateKey" => "\${ENV::TEST_CERTS_DIR}${dir_sep}ee-key.pem"
+ },
+ test => {
+ "Method" => "DTLS",
+ "HandshakeMode" => "RenegotiateServer",
+ "ResumptionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ }
);
diff --git a/util/TLSProxy/Message.pm b/util/TLSProxy/Message.pm
index 1810d8c..0821bde 100644
--- a/util/TLSProxy/Message.pm
+++ b/util/TLSProxy/Message.pm
@@ -171,7 +171,7 @@ sub get_messages
$recoffset += 4;
$payload = "";
- if ($recoffset < $record->decrypt_len) {
+ if ($recoffset <= $record->decrypt_len) {
#Some payload data is present in this record
if ($record->decrypt_len - $recoffset >= $messlen) {
#We can complete the message with this record
diff --git a/util/TLSProxy/Proxy.pm b/util/TLSProxy/Proxy.pm
index 49fc15d..d025075 100644
--- a/util/TLSProxy/Proxy.pm
+++ b/util/TLSProxy/Proxy.pm
@@ -42,6 +42,7 @@ sub new
clientflags => "",
serverconnects => 1,
serverpid => 0,
+ reneg => 0,
#Public read
execute => $execute,
@@ -117,6 +118,7 @@ sub clear
$self->{serverflags} = "";
$self->{serverconnects} = 1;
$self->{serverpid} = 0;
+ $self->{reneg} = 0;
}
sub restart
@@ -200,7 +202,13 @@ sub clientstart
or die "Failed to redirect stdout: $!";
open(STDERR, ">&STDOUT");
}
- my $execcmd = "echo test | ".$self->execute
+ my $echostr;
+ if ($self->reneg()) {
+ $echostr = "R";
+ } else {
+ $echostr = "test";
+ }
+ my $execcmd = "echo ".$echostr." | ".$self->execute
." s_client -engine ossltest -connect "
.($self->proxy_addr).":".($self->proxy_port);
if ($self->cipherc ne "") {
@@ -505,4 +513,13 @@ sub fill_known_data
return $ret;
}
+sub reneg
+{
+ my $self = shift;
+ if (@_) {
+ $self->{reneg} = shift;
+ }
+ return $self->{reneg};
+}
+
1;
More information about the openssl-commits
mailing list