[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Thu Mar 30 08:13:33 UTC 2017
The branch master has been updated
via 3cb47b4ec1514248996ca037a5e7890ea7fdc855 (commit)
via 39ef78210c7110600e083e7aec8fe7cda076522b (commit)
from 3fd5ece39b59d938d0cc84b8e5148d19044d15cf (commit)
- Log -----------------------------------------------------------------
commit 3cb47b4ec1514248996ca037a5e7890ea7fdc855
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 29 17:02:25 2017 +0100
Add a test for the bug fixed in the previous commit
We want to make sure that if we if are using SSL_MODE_AUTO_RETRY then
if SSL_read_early_data() hits EndOfEarlyData then it doesn't auto retry
and end up with normal data. The same issue could occur with read_ahead
which is what we use in this test.
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3077)
commit 39ef78210c7110600e083e7aec8fe7cda076522b
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 29 17:00:55 2017 +0100
Fix bug with SSL_read_early_data()
If read_ahead is set, or SSL_MODE_AUTO_RETRY is used then if
SSL_read_early_data() hits an EndOfEarlyData message then it will
immediately retry automatically, but this time read normal data instead
of early data!
Fixes #3041
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3077)
-----------------------------------------------------------------------
Summary of changes:
ssl/record/rec_layer_s3.c | 10 +++++++++
test/sslapitest.c | 55 +++++++++++++++++++++++++++++++----------------
2 files changed, 46 insertions(+), 19 deletions(-)
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index e8e9329..b51807c 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1496,6 +1496,8 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
*/
if ((s->rlayer.handshake_fragment_len >= 4)
&& !ossl_statem_get_in_handshake(s)) {
+ int ined = (s->early_data_state == SSL_EARLY_DATA_READING);
+
/* We found handshake data, so we're going back into init */
ossl_statem_set_in_init(s, 1);
@@ -1507,6 +1509,14 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
return -1;
}
+ /*
+ * If we were actually trying to read early data and we found a
+ * handshake message, then we don't want to continue to try and read
+ * the application data any more. It won't be "early" now.
+ */
+ if (ined)
+ return -1;
+
if (!(s->mode & SSL_MODE_AUTO_RETRY)) {
if (SSL3_BUFFER_get_left(rbuf) == 0) {
/* no read-ahead left? */
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 9ac8728..b4e99e8 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -1551,7 +1551,7 @@ static int test_set_sigalgs(int idx)
* error.
*/
static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
- SSL **serverssl, SSL_SESSION **sess)
+ SSL **serverssl, SSL_SESSION **sess, int idx)
{
if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), sctx,
cctx, cert, privkey)) {
@@ -1559,6 +1559,12 @@ static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
return 0;
}
+ /* When idx == 1 we repeat the tests with read_ahead set */
+ if (idx > 0) {
+ SSL_CTX_set_read_ahead(*cctx, 1);
+ SSL_CTX_set_read_ahead(*sctx, 1);
+ }
+
if (!create_ssl_objects(*sctx, *cctx, serverssl, clientssl, NULL, NULL)) {
printf("Unable to create SSL objects\n");
return 0;
@@ -1591,7 +1597,7 @@ static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
return 1;
}
-static int test_early_data_read_write(void)
+static int test_early_data_read_write(int idx)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
@@ -1600,7 +1606,7 @@ static int test_early_data_read_write(void)
unsigned char buf[20];
size_t readbytes, written;
- if (!setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl, &sess))
+ if (!setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl, &sess, idx))
goto end;
/* Write and read some early data */
@@ -1810,7 +1816,7 @@ static int test_early_data_read_write(void)
return testresult;
}
-static int test_early_data_skip(void)
+static int test_early_data_skip(int idx)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
@@ -1824,7 +1830,7 @@ static int test_early_data_skip(void)
* from a client where the early data is not acceptable.
*/
- if (!setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl, &sess))
+ if (!setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl, &sess, idx))
goto end;
/*
@@ -1892,7 +1898,7 @@ static int test_early_data_skip(void)
return testresult;
}
-static int test_early_data_not_sent(void)
+static int test_early_data_not_sent(int idx)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
@@ -1906,7 +1912,7 @@ static int test_early_data_not_sent(void)
* from a client that doesn't send any.
*/
- if (!setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl, &sess))
+ if (!setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl, &sess, idx))
goto end;
/* Write some data - should block due to handshake with server */
@@ -1954,10 +1960,15 @@ static int test_early_data_not_sent(void)
goto end;
}
- /* Should block due to the NewSessionTicket arrival */
- if (SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) {
- printf("Unexpected success reading message 2\n");
- goto end;
+ /*
+ * Should block due to the NewSessionTicket arrival unless we're using
+ * read_ahead
+ */
+ if (idx == 0) {
+ if (SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) {
+ printf("Unexpected success reading message 2\n");
+ goto end;
+ }
}
if (!SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)
@@ -1981,7 +1992,7 @@ static int test_early_data_not_sent(void)
return testresult;
}
-static int test_early_data_not_expected(void)
+static int test_early_data_not_expected(int idx)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
@@ -1995,7 +2006,7 @@ static int test_early_data_not_expected(void)
* client sending some.
*/
- if (!setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl, &sess))
+ if (!setupearly_data_test(&cctx, &sctx, &clientssl, &serverssl, &sess, idx))
goto end;
/* Write some early data */
@@ -2063,7 +2074,7 @@ static int test_early_data_not_expected(void)
# ifndef OPENSSL_NO_TLS1_2
-static int test_early_data_tls1_2(void)
+static int test_early_data_tls1_2(int idx)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
@@ -2082,6 +2093,12 @@ static int test_early_data_tls1_2(void)
goto end;
}
+ /* When idx == 1 we repeat the tests with read_ahead set */
+ if (idx > 0) {
+ SSL_CTX_set_read_ahead(cctx, 1);
+ SSL_CTX_set_read_ahead(sctx, 1);
+ }
+
if (!create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) {
printf("Unable to create SSL objects\n");
goto end;
@@ -2211,12 +2228,12 @@ int test_main(int argc, char *argv[])
ADD_TEST(test_early_cb);
#endif
#ifndef OPENSSL_NO_TLS1_3
- ADD_TEST(test_early_data_read_write);
- ADD_TEST(test_early_data_skip);
- ADD_TEST(test_early_data_not_sent);
- ADD_TEST(test_early_data_not_expected);
+ ADD_ALL_TESTS(test_early_data_read_write, 2);
+ ADD_ALL_TESTS(test_early_data_skip, 2);
+ ADD_ALL_TESTS(test_early_data_not_sent, 2);
+ ADD_ALL_TESTS(test_early_data_not_expected, 2);
# ifndef OPENSSL_NO_TLS1_2
- ADD_TEST(test_early_data_tls1_2);
+ ADD_ALL_TESTS(test_early_data_tls1_2, 2);
# endif
#endif
More information about the openssl-commits
mailing list