[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Mon Sep 4 14:21:06 UTC 2017 

The branch master has been updated
       via  1d2491e20e1400def31eb1d1daea5583bfc7ea38 (commit)
       via  3d85c7f408e54e1a0b367901534139ba5f1cad07 (commit)
      from  45fd6a59facab8b8aa088f9f492f10aa5d2581c2 (commit)


- Log -----------------------------------------------------------------
commit 1d2491e20e1400def31eb1d1daea5583bfc7ea38
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Sep 4 08:45:12 2017 +0100

    Don't use ciphersuites for inflating the ClientHello in clienthellotest
    
    clienthellotest tries to fill out the size of the ClientHello by adding
    extra ciphersuites in order to test the padding extension. This is
    unreliable because they are very dependent on configuration options. If we
    add too much data the test will fail! We were already also adding some dummy
    ALPN protocols to pad out the size, and it turns out that this is sufficient
    just in itself, so drop the extra ciphersuites.
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/4331)

commit 3d85c7f408e54e1a0b367901534139ba5f1cad07
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Sep 4 08:44:02 2017 +0100

    Don't attempt to add a zero length padding extension
    
    The padding extension should always be at least 1 byte long
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/4331)

-----------------------------------------------------------------------

Summary of changes:
 ssl/statem/extensions_clnt.c |  2 +-
 test/clienthellotest.c       | 12 +++++-------
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 2c72dea..bffe7ac 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -843,7 +843,7 @@ EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
          * 1 byte long so as not to have an empty extension last (WebSphere 7.x,
          * 8.x are intolerant of that condition)
          */
-        if (hlen >= 4)
+        if (hlen > 4)
             hlen -= 4;
         else
             hlen = 1;
diff --git a/test/clienthellotest.c b/test/clienthellotest.c
index fbac8ea..ee2d0ba 100644
--- a/test/clienthellotest.c
+++ b/test/clienthellotest.c
@@ -90,16 +90,14 @@ static int test_client_hello(int currtest)
     case TEST_PADDING_NOT_NEEDED:
         SSL_CTX_set_options(ctx, SSL_OP_TLSEXT_PADDING);
         /*
-         * Add lots of ciphersuites so that the ClientHello is at least
+         * Add some dummy ALPN protocols so that the ClientHello is at least
          * F5_WORKAROUND_MIN_MSG_LEN bytes long - meaning padding will be
-         * needed. Also add some dummy ALPN protocols in case we still don't
-         * have enough.
+         * needed.
          */
         if (currtest == TEST_ADD_PADDING
-                && (!TEST_true(SSL_CTX_set_cipher_list(ctx, "ALL"))
-                    || !TEST_false(SSL_CTX_set_alpn_protos(ctx,
-                                               (unsigned char *)alpn_prots,
-                                               sizeof(alpn_prots) - 1))))
+                && (!TEST_false(SSL_CTX_set_alpn_protos(ctx,
+                                    (unsigned char *)alpn_prots,
+                                    sizeof(alpn_prots) - 1))))
             goto end;
 
         break;

More information about the openssl-commits mailing list