[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Tue May 9 16:07:19 UTC 2017
The branch master has been updated
via ad448b21f8dcb0f2c60f7edcec6f00f0857c474f (commit)
via db48a903b36e12bc9b8409d3cb84e980639c1dee (commit)
via 1fe3549428ea5b976eb2f0e352edd676fe0b1fab (commit)
from 068e3d73ce6814879832c9400c10afe2458c2004 (commit)
- Log -----------------------------------------------------------------
commit ad448b21f8dcb0f2c60f7edcec6f00f0857c474f
Author: Matt Caswell <matt at openssl.org>
Date: Tue May 9 10:32:48 2017 +0100
Fix some copy&paste errors and update following review feedback
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3410)
commit db48a903b36e12bc9b8409d3cb84e980639c1dee
Author: Matt Caswell <matt at openssl.org>
Date: Mon May 8 14:48:35 2017 +0100
Add some badly formatted compression methods tests
Test that sending a non NULL compression method fails in TLSv1.3 as well
as other similar tests.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3410)
commit 1fe3549428ea5b976eb2f0e352edd676fe0b1fab
Author: Matt Caswell <matt at openssl.org>
Date: Mon May 8 14:47:33 2017 +0100
Verify that only NULL compression is sent in TLSv1.3 ClientHello
It is illegal in a TLSv1.3 ClientHello to send anything other than the
NULL compression method. We should send an alert if we find anything else
there. Previously we were ignoring this error.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3410)
-----------------------------------------------------------------------
Summary of changes:
ssl/statem/statem_srvr.c | 18 ++++++--
test/recipes/70-test_comp.t | 110 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 125 insertions(+), 3 deletions(-)
create mode 100644 test/recipes/70-test_comp.t
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 7adf09b..7e025a6 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1755,9 +1755,22 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
* algorithms from the client, starting at q.
*/
s->s3->tmp.new_compression = NULL;
+ if (SSL_IS_TLS13(s)) {
+ /*
+ * We already checked above that the NULL compression method appears in
+ * the list. Now we check there aren't any others (which is illegal in
+ * a TLSv1.3 ClientHello.
+ */
+ if (clienthello->compressions_len != 1) {
+ al = SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
+ SSL_R_INVALID_COMPRESSION_ALGORITHM);
+ goto err;
+ }
+ }
#ifndef OPENSSL_NO_COMP
/* This only happens if we have a cache hit */
- if (s->session->compress_meth != 0 && !SSL_IS_TLS13(s)) {
+ else if (s->session->compress_meth != 0) {
int m, comp_id = s->session->compress_meth;
unsigned int k;
/* Perform sanity checks on resumed compression algorithm */
@@ -1793,8 +1806,7 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
}
} else if (s->hit) {
comp = NULL;
- } else if (ssl_allow_compression(s) && s->ctx->comp_methods
- && !SSL_IS_TLS13(s)) {
+ } else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
/* See if we have a match */
int m, nn, v, done = 0;
unsigned int o;
diff --git a/test/recipes/70-test_comp.t b/test/recipes/70-test_comp.t
new file mode 100644
index 0000000..b79c023
--- /dev/null
+++ b/test/recipes/70-test_comp.t
@@ -0,0 +1,110 @@
+#! /usr/bin/env perl
+# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file srctop_dir bldtop_dir/;
+use OpenSSL::Test::Utils;
+use File::Temp qw(tempfile);
+use TLSProxy::Proxy;
+
+my $test_name = "test_comp";
+setup($test_name);
+
+plan skip_all => "TLSProxy isn't usable on $^O"
+ if $^O =~ /^(VMS|MSWin32)$/;
+
+plan skip_all => "$test_name needs the dynamic engine feature enabled"
+ if disabled("engine") || disabled("dynamic-engine");
+
+plan skip_all => "$test_name needs the sock feature enabled"
+ if disabled("sock");
+
+plan skip_all => "$test_name needs TLSv1.3 or TLSv1.2 enabled"
+ if disabled("tls1_3") && disabled("tls1_2");
+
+$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
+$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
+
+use constant {
+ MULTIPLE_COMPRESSIONS => 0,
+ NON_NULL_COMPRESSION => 1
+};
+my $testtype;
+
+my $proxy = TLSProxy::Proxy->new(
+ undef,
+ cmdstr(app(["openssl"]), display => 1),
+ srctop_file("apps", "server.pem"),
+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+);
+
+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
+plan tests => 4;
+
+SKIP: {
+ skip "TLSv1.2 disabled", 2 if disabled("tls1_2");
+ #Test 1: Check that sending multiple compression methods in a TLSv1.2
+ # ClientHello succeeds
+ $proxy->clear();
+ $proxy->filter(\&add_comp_filter);
+ $proxy->clientflags("-no_tls1_3");
+ $testtype = MULTIPLE_COMPRESSIONS;
+ $proxy->start();
+ ok(TLSProxy::Message->success(), "Non null compression");
+
+ #Test 2: NULL compression method must be present in TLSv1.2
+ $proxy->clear();
+ $proxy->clientflags("-no_tls1_3");
+ $testtype = NON_NULL_COMPRESSION;
+ $proxy->start();
+ ok(TLSProxy::Message->fail(), "NULL compression missing");
+}
+
+SKIP: {
+ skip "TLSv1.3 disabled", 2 if disabled("tls1_3");
+ #Test 3: Check that sending multiple compression methods in a TLSv1.3
+ # ClientHello fails
+ $proxy->clear();
+ $proxy->filter(\&add_comp_filter);
+ $testtype = MULTIPLE_COMPRESSIONS;
+ $proxy->start();
+ ok(TLSProxy::Message->fail(), "Non null compression (TLSv1.3)");
+
+ #Test 4: NULL compression method must be present in TLSv1.3
+ $proxy->clear();
+ $testtype = NON_NULL_COMPRESSION;
+ $proxy->start();
+ ok(TLSProxy::Message->fail(), "NULL compression missing (TLSv1.3)");
+}
+
+sub add_comp_filter
+{
+ my $proxy = shift;
+ my $flight;
+ my $message;
+ my @comp;
+
+ # Only look at the ClientHello
+ return if $proxy->flight != 0;
+
+ $message = ${$proxy->message_list}[0];
+
+ return if (!defined $message
+ || $message->mt != TLSProxy::Message::MT_CLIENT_HELLO);
+
+ if ($testtype == MULTIPLE_COMPRESSIONS) {
+ @comp = (
+ 0x00, #Null compression method
+ 0xff); #Unknown compression
+ } elsif ($testtype == NON_NULL_COMPRESSION) {
+ @comp = (0xff); #Unknown compression
+ }
+ $message->comp_meths(\@comp);
+ $message->comp_meth_len(scalar @comp);
+ $message->repack();
+}
More information about the openssl-commits
mailing list