[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Mon Jun 12 08:24:05 UTC 2017 

The branch master has been updated
       via  0e1e4045c469f03294e33c0344d882e71dbd0d07 (commit)
       via  cf34d54d82c1e51d018e81a95ea4a70598070eb3 (commit)
      from  5c718b9e46f6bbe5381556dbcfdd40ba2d65df77 (commit)


- Log -----------------------------------------------------------------
commit 0e1e4045c469f03294e33c0344d882e71dbd0d07
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date:   Wed Apr 5 13:32:18 2017 -0500

    TLS 1.3 client sigalgs test no longer needs TLS 1.2
    
    Per the TODO comment, we now have proper certificate selection for
    TLS 1.3 client certificates, so this test can move into its own
    block.  (It cannot merge with the previous block, as it requires EC.)
    
    Verified that the test passes when configured with enable-tls1_3
    no-tls1 no-tls1_1 no-tls1_2.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/3131)

commit cf34d54d82c1e51d018e81a95ea4a70598070eb3
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date:   Thu Mar 23 11:00:08 2017 -0500

    drop some no-longer-relevant TODO(TLS1.3) entries
    
    We prevent compression both when the server is parsing the ClientHello
    and when the client is constructing the ClientHello.  A 1.3 ServerHello
    has no way to hand us back a compression method, and we already check
    that the server does not try to give us back a compression method that
    we did not request, so these checks seem sufficient.
    
    Weaken the INSTALL note slightly, as we do now expect to interoperate
    with other implementations.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/3131)

-----------------------------------------------------------------------

Summary of changes:
 INSTALL                           |  5 +++--
 ssl/record/rec_layer_s3.c         |  3 ---
 test/recipes/70-test_sslsigalgs.t | 16 ++++++++--------
 3 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/INSTALL b/INSTALL
index 8ae0644..3deb7ff 100644
--- a/INSTALL
+++ b/INSTALL
@@ -484,8 +484,9 @@
   enable-tls1_3
                    TODO(TLS1.3): Make this enabled by default
                    Build support for TLS1.3. Note: This is a WIP feature and
-                   does not currently interoperate with other TLS1.3
-                   implementations! Use with caution!!
+                   only a single draft version is supported.  Implementations
+                   of different draft versions will negotiate TLS 1.2 instead
+                   of (draft) TLS 1.3.  Use with caution!!
 
   no-<prot>
                    Don't build support for negotiating the specified SSL/TLS
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 0c40905..68c427e 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -841,9 +841,6 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 
         /* first we compress */
         if (s->compress != NULL) {
-            /*
-             * TODO(TLS1.3): Make sure we prevent compression!!!
-             */
             if (!ssl3_do_compress(s, thiswr)
                     || !WPACKET_allocate_bytes(thispkt, thiswr->length, NULL)) {
                 SSLerr(SSL_F_DO_SSL3_WRITE, SSL_R_COMPRESSION_FAILURE);
diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t
index dbd4870..832a4ba 100644
--- a/test/recipes/70-test_sslsigalgs.t
+++ b/test/recipes/70-test_sslsigalgs.t
@@ -92,20 +92,20 @@ SKIP: {
 }
 
 SKIP: {
-    skip "EC, TLSv1.3 or TLSv1.2 disabled", 2
-        if disabled("tls1_2") || disabled("tls1_3") || disabled("ec");
-
+    skip "EC or TLSv1.3 disabled", 1
+        if disabled("tls1_3") || disabled("ec");
     #Test 7: Sending a valid sig algs list but not including a sig type that
-    #        matches the certificate should fail in TLSv1.3. We need TLSv1.2
-    #        enabled for this test - otherwise the client will not attempt to
-    #        connect due to no TLSv1.3 ciphers being available.
-    #        TODO(TLS1.3): When proper TLSv1.3 certificate selection is working
-    #        we can move this test into the section above
+    #        matches the certificate should fail in TLSv1.3.
     $proxy->clear();
     $proxy->clientflags("-sigalgs ECDSA+SHA256");
     $proxy->filter(undef);
     $proxy->start();
     ok(TLSProxy::Message->fail, "No matching TLSv1.3 sigalgs");
+}
+
+SKIP: {
+    skip "EC, TLSv1.3 or TLSv1.2 disabled", 1
+        if disabled("tls1_2") || disabled("tls1_3") || disabled("ec");
 
     #Test 8: Sending a full list of TLSv1.3 sig algs but negotiating TLSv1.2
     #        should succeed

More information about the openssl-commits mailing list