[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Thu Mar 2 16:54:26 UTC 2017
The branch master has been updated
via b6611753a6d9bef6a8c16850a9eb9215d8a84fac (commit)
via 439db0c97bd50cae008e876c6c8ed5e5011bf6eb (commit)
via f33f9ddefbb34584acb73c51e286f9913af96534 (commit)
via c19602b543562104b756aa6adec9bd5081207574 (commit)
from 398b0bbdf71d852daf2e79d842cd0d307ec9f8f6 (commit)
- Log -----------------------------------------------------------------
commit b6611753a6d9bef6a8c16850a9eb9215d8a84fac
Author: Matt Caswell <matt at openssl.org>
Date: Thu Mar 2 13:41:10 2017 +0000
Use the built in boolean type for CompressionExpected
Don't create a custom boolean type for parsing CompressionExpected. Use
the existing one instead.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2814)
commit 439db0c97bd50cae008e876c6c8ed5e5011bf6eb
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 1 12:11:51 2017 +0000
Add compression tests
Check whether we negotiate compression in various scenarios.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2814)
commit f33f9ddefbb34584acb73c51e286f9913af96534
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 1 11:20:30 2017 +0000
Fix a compression bug
do_ssl3_write() was crashing when compression was enabled. We calculate
the maximum length that a record will be after compression and reserve
those bytes in the WPACKET. Unfortunately we were adding the maximum
compression overhead onto the wrong variable resulting in a corrupted
record.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2814)
commit c19602b543562104b756aa6adec9bd5081207574
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 1 10:36:38 2017 +0000
Ensure that we never select compression in TLSv1.3
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2814)
-----------------------------------------------------------------------
Summary of changes:
ssl/record/rec_layer_s3.c | 2 +-
ssl/statem/statem_clnt.c | 4 +-
ssl/statem/statem_srvr.c | 7 +-
test/handshake_helper.c | 3 +
test/handshake_helper.h | 1 +
test/recipes/80-test_ssl_new.t | 4 +-
test/ssl-tests/22-compression.conf | 112 ++++++++++++++++++++++++++++++
test/ssl-tests/22-compression.conf.in | 127 ++++++++++++++++++++++++++++++++++
test/ssl_test.c | 11 +++
test/ssl_test_ctx.c | 5 ++
test/ssl_test_ctx.h | 6 ++
test/ssl_test_ctx_test.c | 8 +++
test/ssl_test_ctx_test.conf | 3 +
13 files changed, 287 insertions(+), 6 deletions(-)
create mode 100644 test/ssl-tests/22-compression.conf
create mode 100644 test/ssl-tests/22-compression.conf.in
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 37f7cd3..5aea4b3 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -791,7 +791,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
maxcomplen = pipelens[j];
if (s->compress != NULL)
- pipelens[j] += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
+ maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
/* write the header */
if (!WPACKET_put_bytes_u8(thispkt, rectype)
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 1943f55..abddc0a 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1105,7 +1105,9 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
return 0;
}
#ifndef OPENSSL_NO_COMP
- if (ssl_allow_compression(s) && s->ctx->comp_methods) {
+ if (ssl_allow_compression(s)
+ && s->ctx->comp_methods
+ && (SSL_IS_DTLS(s) || s->s3->tmp.max_ver < TLS1_3_VERSION)) {
int compnum = sk_SSL_COMP_num(s->ctx->comp_methods);
for (i = 0; i < compnum; i++) {
comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 26c37c7..39e0f59 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1736,7 +1736,7 @@ static int tls_early_post_process_client_hello(SSL *s, int *al)
s->s3->tmp.new_compression = NULL;
#ifndef OPENSSL_NO_COMP
/* This only happens if we have a cache hit */
- if (s->session->compress_meth != 0) {
+ if (s->session->compress_meth != 0 && !SSL_IS_TLS13(s)) {
int m, comp_id = s->session->compress_meth;
unsigned int k;
/* Perform sanity checks on resumed compression algorithm */
@@ -1770,9 +1770,10 @@ static int tls_early_post_process_client_hello(SSL *s, int *al)
SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
goto err;
}
- } else if (s->hit)
+ } else if (s->hit) {
comp = NULL;
- else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
+ } else if (ssl_allow_compression(s) && s->ctx->comp_methods
+ && !SSL_IS_TLS13(s)) {
/* See if we have a match */
int m, nn, v, done = 0;
unsigned int o;
diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index 88f6aec..99b6ad1 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -1207,6 +1207,9 @@ static HANDSHAKE_RESULT *do_handshake_internal(
ret->session_ticket = SSL_TEST_SESSION_TICKET_NO;
else
ret->session_ticket = SSL_TEST_SESSION_TICKET_YES;
+ ret->compression = (SSL_get_current_compression(client.ssl) == NULL)
+ ? SSL_TEST_COMPRESSION_NO
+ : SSL_TEST_COMPRESSION_YES;
ret->session_ticket_do_not_call = server_ex_data.session_ticket_do_not_call;
#ifndef OPENSSL_NO_NEXTPROTONEG
diff --git a/test/handshake_helper.h b/test/handshake_helper.h
index bdbeabb..1f079c9 100644
--- a/test/handshake_helper.h
+++ b/test/handshake_helper.h
@@ -34,6 +34,7 @@ typedef struct handshake_result {
ssl_servername_t servername;
/* Session ticket status */
ssl_session_ticket_t session_ticket;
+ int compression;
/* Was this called on the second context? */
int session_ticket_do_not_call;
char *client_npn_negotiated;
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index f94a7d8..5f44334 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -29,7 +29,7 @@ map { s/\^// } @conf_files if $^O eq "VMS";
# We hard-code the number of tests to double-check that the globbing above
# finds all files as expected.
-plan tests => 21; # = scalar @conf_srcs
+plan tests => 22; # = scalar @conf_srcs
# Some test results depend on the configuration of enabled protocols. We only
# verify generated sources in the default configuration.
@@ -63,6 +63,7 @@ my %conf_dependent_tests = (
"18-dtls-renegotiate.conf" => disabled("dtls1_2"),
"19-mac-then-encrypt.conf" => !$is_default_tls,
"20-cert-select.conf" => !$is_default_tls || $no_dh || $no_dsa,
+ "22-compression.conf" => !$is_default_tls,
);
# Add your test here if it should be skipped for some compile-time
@@ -87,6 +88,7 @@ my %skip = (
"19-mac-then-encrypt.conf" => $no_pre_tls1_3,
"20-cert-select.conf" => disabled("tls1_2") || $no_ec,
"21-key-update.conf" => disabled("tls1_3"),
+ "22-compression.conf" => disabled("zlib") || $no_tls,
);
foreach my $conf (@conf_files) {
diff --git a/test/ssl-tests/22-compression.conf b/test/ssl-tests/22-compression.conf
new file mode 100644
index 0000000..999b008
--- /dev/null
+++ b/test/ssl-tests/22-compression.conf
@@ -0,0 +1,112 @@
+# Generated with generate_ssl_tests.pl
+
+num_tests = 4
+
+test-0 = 0-tlsv1_2-both-compress
+test-1 = 1-tlsv1_2-client-compress
+test-2 = 2-tlsv1_2-server-compress
+test-3 = 3-tlsv1_2-neither-compress
+# ===========================================================
+
+[0-tlsv1_2-both-compress]
+ssl_conf = 0-tlsv1_2-both-compress-ssl
+
+[0-tlsv1_2-both-compress-ssl]
+server = 0-tlsv1_2-both-compress-server
+client = 0-tlsv1_2-both-compress-client
+
+[0-tlsv1_2-both-compress-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = Compression
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[0-tlsv1_2-both-compress-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+Options = Compression
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-0]
+CompressionExpected = Yes
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[1-tlsv1_2-client-compress]
+ssl_conf = 1-tlsv1_2-client-compress-ssl
+
+[1-tlsv1_2-client-compress-ssl]
+server = 1-tlsv1_2-client-compress-server
+client = 1-tlsv1_2-client-compress-client
+
+[1-tlsv1_2-client-compress-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[1-tlsv1_2-client-compress-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+Options = Compression
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-1]
+CompressionExpected = No
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[2-tlsv1_2-server-compress]
+ssl_conf = 2-tlsv1_2-server-compress-ssl
+
+[2-tlsv1_2-server-compress-ssl]
+server = 2-tlsv1_2-server-compress-server
+client = 2-tlsv1_2-server-compress-client
+
+[2-tlsv1_2-server-compress-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+Options = Compression
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[2-tlsv1_2-server-compress-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-2]
+CompressionExpected = No
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[3-tlsv1_2-neither-compress]
+ssl_conf = 3-tlsv1_2-neither-compress-ssl
+
+[3-tlsv1_2-neither-compress-ssl]
+server = 3-tlsv1_2-neither-compress-server
+client = 3-tlsv1_2-neither-compress-client
+
+[3-tlsv1_2-neither-compress-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[3-tlsv1_2-neither-compress-client]
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-3]
+CompressionExpected = No
+ExpectedResult = Success
+
+
diff --git a/test/ssl-tests/22-compression.conf.in b/test/ssl-tests/22-compression.conf.in
new file mode 100644
index 0000000..8d4d823
--- /dev/null
+++ b/test/ssl-tests/22-compression.conf.in
@@ -0,0 +1,127 @@
+# -*- mode: perl; -*-
+# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+## Test Compression
+
+use strict;
+use warnings;
+
+package ssltests;
+use OpenSSL::Test::Utils;
+
+our @tests = ();
+
+our @tests_tls1_3 = (
+ {
+ name => "tlsv1_3-both-compress",
+ server => {
+ "Options" => "Compression"
+ },
+ client => {
+ "Options" => "Compression"
+ },
+ test => {
+ "CompressionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ },
+ {
+ name => "tlsv1_3-client-compress",
+ server => {
+ },
+ client => {
+ "Options" => "Compression"
+ },
+ test => {
+ "CompressionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ },
+ {
+ name => "tlsv1_3-server-compress",
+ server => {
+ "Options" => "Compression"
+ },
+ client => {
+ },
+ test => {
+ "CompressionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ },
+ {
+ name => "tlsv1_3-neither-compress",
+ server => {
+ },
+ client => {
+ },
+ test => {
+ "CompressionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ },
+);
+our @tests_tls1_2 = (
+ {
+ name => "tlsv1_2-both-compress",
+ server => {
+ "Options" => "Compression"
+ },
+ client => {
+ "Options" => "Compression",
+ "MaxProtocol" => "TLSv1.2"
+ },
+ test => {
+ "CompressionExpected" => "Yes",
+ "ExpectedResult" => "Success"
+ }
+ },
+ {
+ name => "tlsv1_2-client-compress",
+ server => {
+ },
+ client => {
+ "Options" => "Compression",
+ "MaxProtocol" => "TLSv1.2"
+ },
+ test => {
+ "CompressionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ },
+ {
+ name => "tlsv1_2-server-compress",
+ server => {
+ "Options" => "Compression"
+ },
+ client => {
+ "MaxProtocol" => "TLSv1.2"
+ },
+ test => {
+ "CompressionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ },
+ {
+ name => "tlsv1_2-neither-compress",
+ server => {
+ },
+ client => {
+ "MaxProtocol" => "TLSv1.2"
+ },
+ test => {
+ "CompressionExpected" => "No",
+ "ExpectedResult" => "Success"
+ }
+ },
+);
+
+push @tests, @tests_tls1_3 unless disabled("tls1_3");
+push @tests, @tests_tls1_2 unless alldisabled(("tls1_2", "tls1_1", "tls1",
+ "ssl3"));
diff --git a/test/ssl_test.c b/test/ssl_test.c
index 752de63..948eb17 100644
--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@@ -146,6 +146,16 @@ static int check_session_ticket(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx
return 1;
}
+static int check_compression(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
+{
+ if (result->compression != test_ctx->compression_expected) {
+ fprintf(stderr, "Client CompressionExpected mismatch, expected %d, got %d\n.",
+ test_ctx->compression_expected,
+ result->compression);
+ return 0;
+ }
+ return 1;
+}
#ifndef OPENSSL_NO_NEXTPROTONEG
static int check_npn(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
{
@@ -259,6 +269,7 @@ static int check_test(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
ret &= check_protocol(result, test_ctx);
ret &= check_servername(result, test_ctx);
ret &= check_session_ticket(result, test_ctx);
+ ret &= check_compression(result, test_ctx);
ret &= (result->session_ticket_do_not_call == 0);
#ifndef OPENSSL_NO_NEXTPROTONEG
ret &= check_npn(result, test_ctx);
diff --git a/test/ssl_test_ctx.c b/test/ssl_test_ctx.c
index f9e74d1..d668f51 100644
--- a/test/ssl_test_ctx.c
+++ b/test/ssl_test_ctx.c
@@ -286,6 +286,10 @@ const char *ssl_session_ticket_name(ssl_session_ticket_t server)
server);
}
+/* CompressionExpected */
+
+IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CTX, test, compression_expected)
+
/* Method */
static const test_enum ssl_test_methods[] = {
@@ -541,6 +545,7 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = {
{ "ExpectedProtocol", &parse_protocol },
{ "ExpectedServerName", &parse_expected_servername },
{ "SessionTicketExpected", &parse_session_ticket },
+ { "CompressionExpected", &parse_test_compression_expected },
{ "Method", &parse_test_method },
{ "ExpectedNPNProtocol", &parse_test_expected_npn_protocol },
{ "ExpectedALPNProtocol", &parse_test_expected_alpn_protocol },
diff --git a/test/ssl_test_ctx.h b/test/ssl_test_ctx.h
index 499e314..300a557 100644
--- a/test/ssl_test_ctx.h
+++ b/test/ssl_test_ctx.h
@@ -52,6 +52,11 @@ typedef enum {
} ssl_session_ticket_t;
typedef enum {
+ SSL_TEST_COMPRESSION_NO = 0, /* Default */
+ SSL_TEST_COMPRESSION_YES
+} ssl_compression_t;
+
+typedef enum {
SSL_TEST_METHOD_TLS = 0, /* Default */
SSL_TEST_METHOD_DTLS
} ssl_test_method_t;
@@ -163,6 +168,7 @@ typedef struct {
*/
ssl_servername_t expected_servername;
ssl_session_ticket_t session_ticket_expected;
+ int compression_expected;
/* The expected NPN/ALPN protocol to negotiate. */
char *expected_npn_protocol;
char *expected_alpn_protocol;
diff --git a/test/ssl_test_ctx_test.c b/test/ssl_test_ctx_test.c
index 36d17a7..54a32c6 100644
--- a/test/ssl_test_ctx_test.c
+++ b/test/ssl_test_ctx_test.c
@@ -173,6 +173,12 @@ static int SSL_TEST_CTX_equal(SSL_TEST_CTX *ctx, SSL_TEST_CTX *ctx2)
ssl_session_ticket_name(ctx2->session_ticket_expected));
return 0;
}
+ if (ctx->compression_expected != ctx2->compression_expected) {
+ fprintf(stderr, "ComrpessionExpected mismatch: %d vs %d.\n",
+ ctx->compression_expected,
+ ctx2->compression_expected);
+ return 0;
+ }
if (!strings_equal("ExpectedNPNProtocol", ctx->expected_npn_protocol,
ctx2->expected_npn_protocol))
return 0;
@@ -250,6 +256,7 @@ static int test_good_configuration()
fixture.expected_ctx->expected_protocol = TLS1_1_VERSION;
fixture.expected_ctx->expected_servername = SSL_TEST_SERVERNAME_SERVER2;
fixture.expected_ctx->session_ticket_expected = SSL_TEST_SESSION_TICKET_YES;
+ fixture.expected_ctx->compression_expected = SSL_TEST_COMPRESSION_NO;
fixture.expected_ctx->resumption_expected = 1;
fixture.expected_ctx->extra.client.verify_callback =
@@ -284,6 +291,7 @@ static const char *bad_configurations[] = {
"ssltest_unknown_servername",
"ssltest_unknown_servername_callback",
"ssltest_unknown_session_ticket_expected",
+ "ssltest_unknown_compression_expected",
"ssltest_unknown_method",
"ssltest_unknown_handshake_mode",
"ssltest_unknown_resumption_expected",
diff --git a/test/ssl_test_ctx_test.conf b/test/ssl_test_ctx_test.conf
index a062d75..86d40e5 100644
--- a/test/ssl_test_ctx_test.conf
+++ b/test/ssl_test_ctx_test.conf
@@ -72,6 +72,9 @@ ServerNameCallback = Foo
[ssltest_unknown_session_ticket_expected]
SessionTicketExpected = Foo
+[ssltest_unknown_compression_expected]
+CompressionExpected = Foo
+
[ssltest_unknown_method]
Method = TLS2
More information about the openssl-commits
mailing list