[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Tue Jul 18 16:36:18 UTC 2017 

The branch master has been updated
       via  242525372c65d9c92fba970333ceb961abc24ce4 (commit)
       via  e11b6aa4c93ea89dc600cbcda96c6a2ab05c1b23 (commit)
       via  59ff3f07dc88bca5cec1b28c651c4d398ffd7126 (commit)
      from  00848ea842f911dac4e10bb39a08bb4b6de9e66a (commit)


- Log -----------------------------------------------------------------
commit 242525372c65d9c92fba970333ceb961abc24ce4
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Jul 18 16:28:38 2017 +0100

    Remove session checks from SSL_clear()
    
    We now allow a different protocol version when reusing a session so we can
    unconditionally reset the SSL_METHOD if it has changed.
    
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
    (Merged from https://github.com/openssl/openssl/pull/3954)

commit e11b6aa4c93ea89dc600cbcda96c6a2ab05c1b23
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Jul 18 11:34:47 2017 +0100

    Add a test for SSL_clear()
    
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
    (Merged from https://github.com/openssl/openssl/pull/3954)

commit 59ff3f07dc88bca5cec1b28c651c4d398ffd7126
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Jul 18 11:18:31 2017 +0100

    Fix SSL_clear() in TLSv1.3
    
    SSL_clear() does not reset the SSL_METHOD if a session already exists in
    the SSL object. However, TLSv1.3 does not have an externally visible
    version fixed method (only an internal one). The state machine assumes
    that we are always starting from a version flexible method for TLSv1.3.
    The simplest solution is to just fix SSL_clear() to always reset the method
    if it is using the internal TLSv1.3 version fixed method.
    
    Reviewed-by: Ben Kaduk <kaduk at mit.edu>
    Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
    (Merged from https://github.com/openssl/openssl/pull/3954)

-----------------------------------------------------------------------

Summary of changes:
 ssl/ssl_lib.c     |  5 ++---
 test/sslapitest.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 3 deletions(-)

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index cef8e41..be15daa 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -566,10 +566,9 @@ int SSL_clear(SSL *s)
 
     /*
      * Check to see if we were changed into a different method, if so, revert
-     * back if we are not doing session-id reuse.
+     * back.
      */
-    if (!ossl_statem_get_in_handshake(s) && (s->session == NULL)
-        && (s->method != s->ctx->method)) {
+    if (s->method != s->ctx->method) {
         s->method->ssl_free(s);
         s->method = s->ctx->method;
         if (!s->method->ssl_new(s))
diff --git a/test/sslapitest.c b/test/sslapitest.c
index cd869e2..ea68f0b 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -2649,6 +2649,60 @@ static int test_export_key_mat(int tst)
     return testresult;
 }
 
+static int test_ssl_clear(int idx)
+{
+    SSL_CTX *cctx = NULL, *sctx = NULL;
+    SSL *clientssl = NULL, *serverssl = NULL;
+    int testresult = 0;
+
+#ifdef OPENSSL_NO_TLS1_2
+    if (idx == 1)
+        return 1;
+#endif
+
+    /* Create an initial connection */
+    if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+                                       TLS_client_method(), &sctx,
+                                       &cctx, cert, privkey))
+            || (idx == 1
+                && !TEST_true(SSL_CTX_set_max_proto_version(cctx,
+                                                            TLS1_2_VERSION)))
+            || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
+                                          &clientssl, NULL, NULL))
+            || !TEST_true(create_ssl_connection(serverssl, clientssl,
+                                                SSL_ERROR_NONE)))
+        goto end;
+
+    SSL_shutdown(clientssl);
+    SSL_shutdown(serverssl);
+    SSL_free(serverssl);
+    serverssl = NULL;
+
+    /* Clear clientssl - we're going to reuse the object */
+    if (!TEST_true(SSL_clear(clientssl)))
+        goto end;
+
+    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+                                             NULL, NULL))
+            || !TEST_true(create_ssl_connection(serverssl, clientssl,
+                                                SSL_ERROR_NONE))
+            || !TEST_true(SSL_session_reused(clientssl)))
+        goto end;
+
+    SSL_shutdown(clientssl);
+    SSL_shutdown(serverssl);
+
+    testresult = 1;
+
+ end:
+    SSL_free(serverssl);
+    SSL_free(clientssl);
+    SSL_CTX_free(sctx);
+    SSL_CTX_free(cctx);
+
+    return testresult;
+}
+
 int test_main(int argc, char *argv[])
 {
     int testresult = 1;
@@ -2704,6 +2758,7 @@ int test_main(int argc, char *argv[])
 #endif
     ADD_ALL_TESTS(test_serverinfo, 8);
     ADD_ALL_TESTS(test_export_key_mat, 4);
+    ADD_ALL_TESTS(test_ssl_clear, 2);
 
     testresult = run_tests(argv[0]);

More information about the openssl-commits mailing list