[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Richard Levitte
levitte at openssl.org
Mon Mar 19 17:29:16 UTC 2018
The branch OpenSSL_1_1_0-stable has been updated
via b402b77da33cc36ee893fa498be2e4220178524b (commit)
via b4ea929d51c6d0ec0aab78072b81f39289b6de84 (commit)
via 1f71819af527883d2438cfc7f6cd9962eb155155 (commit)
from f778cd2d89b3dfb2438df44f42e5a9082b213a71 (commit)
- Log -----------------------------------------------------------------
commit b402b77da33cc36ee893fa498be2e4220178524b
Author: Richard Levitte <levitte at openssl.org>
Date: Mon Mar 19 09:08:06 2018 +0100
Enhance ssltestlib's create_ssl_ctx_pair to take min and max proto version
Have all test programs using that function specify those versions.
Additionally, have the remaining test programs that use SSL_CTX_new
directly specify at least the maximum protocol version.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5662)
commit b4ea929d51c6d0ec0aab78072b81f39289b6de84
Author: Richard Levitte <levitte at openssl.org>
Date: Mon Mar 19 08:06:22 2018 +0100
In TLSProxy::Proxy, specify TLSv1.2 as maximum allowable protocol
Partially fixes #5661
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5662)
commit 1f71819af527883d2438cfc7f6cd9962eb155155
Author: Richard Levitte <levitte at openssl.org>
Date: Mon Mar 19 07:48:33 2018 +0100
Support "-min_protocol" and "-max_protocol" in s_server and s_client
If for nothing else, they are needed when doing a regression test
Partially fixes #5661
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5662)
-----------------------------------------------------------------------
Summary of changes:
apps/apps.h | 6 +++++-
test/asynciotest.c | 1 +
test/clienthellotest.c | 6 ++++--
test/dtlstest.c | 5 +++--
test/fatalerrtest.c | 3 ++-
test/ssl_test.c | 12 ++++++++++++
test/sslapitest.c | 35 +++++++++++++++++++++++------------
test/sslcorrupttest.c | 5 +++--
test/ssltest_old.c | 41 ++++++++++++++++++++++++++++++-----------
test/ssltestlib.c | 25 +++++++++++++++++++++++++
test/ssltestlib.h | 1 +
util/perl/TLSProxy/Proxy.pm | 4 ++--
12 files changed, 111 insertions(+), 33 deletions(-)
diff --git a/apps/apps.h b/apps/apps.h
index 7e4d4e9..d705d0e 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -214,7 +214,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \
OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \
OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \
- OPT_S_DEBUGBROKE, OPT_S_COMP, \
+ OPT_S_DEBUGBROKE, OPT_S_COMP, OPT_S_MINPROTO, OPT_S_MAXPROTO, \
OPT_S_NO_RENEGOTIATION, OPT_S__LAST
# define OPT_S_OPTIONS \
@@ -250,6 +250,8 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
{"named_curve", OPT_S_NAMEDCURVE, 's', \
"Elliptic curve used for ECDHE (server-side only)" }, \
{"cipher", OPT_S_CIPHER, 's', "Specify cipher list to be used"}, \
+ {"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used"}, \
+ {"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used"}, \
{"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
"Perform all sorts of protocol violations for testing purposes"}
@@ -274,6 +276,8 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
case OPT_S_CURVES: \
case OPT_S_NAMEDCURVE: \
case OPT_S_CIPHER: \
+ case OPT_S_MINPROTO: \
+ case OPT_S_MAXPROTO: \
case OPT_S_NO_RENEGOTIATION: \
case OPT_S_DEBUGBROKE
diff --git a/test/asynciotest.c b/test/asynciotest.c
index e2b6b0b..f190e43 100644
--- a/test/asynciotest.c
+++ b/test/asynciotest.c
@@ -255,6 +255,7 @@ int main(int argc, char *argv[])
}
if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
&serverctx, &clientctx, argv[1], argv[2])) {
printf("Failed to create SSL_CTX pair\n");
goto end;
diff --git a/test/clienthellotest.c b/test/clienthellotest.c
index b8157f2..d81505c 100644
--- a/test/clienthellotest.c
+++ b/test/clienthellotest.c
@@ -31,8 +31,8 @@
int main(int argc, char *argv[])
{
- SSL_CTX *ctx;
- SSL *con;
+ SSL_CTX *ctx = NULL;
+ SSL *con = NULL;
BIO *rbio;
BIO *wbio;
BIO *err;
@@ -56,6 +56,8 @@ int main(int argc, char *argv[])
for (; currtest < TOTAL_NUM_TESTS; currtest++) {
testresult = 0;
ctx = SSL_CTX_new(TLS_method());
+ if (!SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION))
+ goto end;
con = SSL_new(ctx);
rbio = BIO_new(BIO_s_mem());
diff --git a/test/dtlstest.c b/test/dtlstest.c
index fd6e2ab..c91b64e 100644
--- a/test/dtlstest.c
+++ b/test/dtlstest.c
@@ -49,8 +49,9 @@ static int test_dtls_unprocessed(int testidx)
printf("Starting Test %d\n", testidx);
- if (!create_ssl_ctx_pair(DTLS_server_method(), DTLS_client_method(), &sctx,
- &cctx, cert, privkey)) {
+ if (!create_ssl_ctx_pair(DTLS_server_method(), DTLS_client_method(),
+ DTLS1_VERSION, DTLS_MAX_VERSION, &sctx, &cctx,
+ cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
return 0;
}
diff --git a/test/fatalerrtest.c b/test/fatalerrtest.c
index 690d7e2..b6f0f4f 100644
--- a/test/fatalerrtest.c
+++ b/test/fatalerrtest.c
@@ -28,7 +28,8 @@ static int test_fatalerr(void)
0x17, 0x03, 0x03, 0x00, 0x05, 'D', 'u', 'm', 'm', 'y'
};
- if (!create_ssl_ctx_pair(SSLv23_method(), SSLv23_method(), &sctx, &cctx,
+ if (!create_ssl_ctx_pair(SSLv23_method(), SSLv23_method(),
+ SSL3_VERSION, TLS_MAX_VERSION, &sctx, &cctx,
cert, privkey)) {
printf("Failed to create SSL_CTX pair\n");
goto err;
diff --git a/test/ssl_test.c b/test/ssl_test.c
index 60ccbe7..81c20b3 100644
--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@@ -249,15 +249,21 @@ static int execute_test(SSL_TEST_FIXTURE fixture)
#ifndef OPENSSL_NO_DTLS
if (test_ctx->method == SSL_TEST_METHOD_DTLS) {
server_ctx = SSL_CTX_new(DTLS_server_method());
+ TEST_check(SSL_CTX_set_max_proto_version(server_ctx, DTLS_MAX_VERSION));
if (test_ctx->extra.server.servername_callback !=
SSL_TEST_SERVERNAME_CB_NONE) {
server2_ctx = SSL_CTX_new(DTLS_server_method());
TEST_check(server2_ctx != NULL);
}
client_ctx = SSL_CTX_new(DTLS_client_method());
+ TEST_check(SSL_CTX_set_max_proto_version(client_ctx, DTLS_MAX_VERSION));
if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
resume_server_ctx = SSL_CTX_new(DTLS_server_method());
+ TEST_check(SSL_CTX_set_max_proto_version(resume_server_ctx,
+ DTLS_MAX_VERSION));
resume_client_ctx = SSL_CTX_new(DTLS_client_method());
+ TEST_check(SSL_CTX_set_max_proto_version(resume_client_ctx,
+ DTLS_MAX_VERSION));
TEST_check(resume_server_ctx != NULL);
TEST_check(resume_client_ctx != NULL);
}
@@ -265,6 +271,7 @@ static int execute_test(SSL_TEST_FIXTURE fixture)
#endif
if (test_ctx->method == SSL_TEST_METHOD_TLS) {
server_ctx = SSL_CTX_new(TLS_server_method());
+ TEST_check(SSL_CTX_set_max_proto_version(server_ctx, TLS_MAX_VERSION));
/* SNI on resumption isn't supported/tested yet. */
if (test_ctx->extra.server.servername_callback !=
SSL_TEST_SERVERNAME_CB_NONE) {
@@ -272,10 +279,15 @@ static int execute_test(SSL_TEST_FIXTURE fixture)
TEST_check(server2_ctx != NULL);
}
client_ctx = SSL_CTX_new(TLS_client_method());
+ TEST_check(SSL_CTX_set_max_proto_version(client_ctx, TLS_MAX_VERSION));
if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
resume_server_ctx = SSL_CTX_new(TLS_server_method());
+ TEST_check(SSL_CTX_set_max_proto_version(resume_server_ctx,
+ TLS_MAX_VERSION));
resume_client_ctx = SSL_CTX_new(TLS_client_method());
+ TEST_check(SSL_CTX_set_max_proto_version(resume_client_ctx,
+ TLS_MAX_VERSION));
TEST_check(resume_server_ctx != NULL);
TEST_check(resume_client_ctx != NULL);
}
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 20ebb8a..7a7ffd7 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -34,7 +34,9 @@ static X509 *ocspcert = NULL;
#define NUM_EXTRA_CERTS 40
static int execute_test_large_message(const SSL_METHOD *smeth,
- const SSL_METHOD *cmeth, int read_ahead)
+ const SSL_METHOD *cmeth,
+ int min_version, int max_version,
+ int read_ahead)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
@@ -56,7 +58,7 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
goto end;
}
- if (!create_ssl_ctx_pair(smeth, cmeth, &sctx,
+ if (!create_ssl_ctx_pair(smeth, cmeth, min_version, max_version, &sctx,
&cctx, cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
goto end;
@@ -125,12 +127,14 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
static int test_large_message_tls(void)
{
return execute_test_large_message(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
0);
}
static int test_large_message_tls_read_ahead(void)
{
return execute_test_large_message(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION,
1);
}
@@ -142,7 +146,9 @@ static int test_large_message_dtls(void)
* read_ahead is set.
*/
return execute_test_large_message(DTLS_server_method(),
- DTLS_client_method(), 0);
+ DTLS_client_method(),
+ DTLS1_VERSION, DTLS_MAX_VERSION,
+ 0);
}
#endif
@@ -207,8 +213,9 @@ static int test_tlsext_status_type(void)
OCSP_RESPID *id = NULL;
BIO *certbio = NULL;
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
- &cctx, cert, privkey)) {
+ if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx,
+ cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
return 0;
}
@@ -431,8 +438,9 @@ static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix)
SSL_SESSION *sess1 = NULL, *sess2 = NULL;
int testresult = 0;
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
- &cctx, cert, privkey)) {
+ if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx,
+ cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
return 0;
}
@@ -928,8 +936,9 @@ static int test_set_sigalgs(int idx)
curr = testctx ? &testsigalgs[idx]
: &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
- &cctx, cert, privkey)) {
+ if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx,
+ cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
return 0;
}
@@ -1079,14 +1088,16 @@ static int test_custom_exts(int tst)
clntaddcb = clntparsecb = srvaddcb = srvparsecb = 0;
snicb = 0;
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
- &cctx, cert, privkey)) {
+ if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx,
+ cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
goto end;
}
if (tst == 1
- && !create_ssl_ctx_pair(TLS_server_method(), NULL, &sctx2, NULL,
+ && !create_ssl_ctx_pair(TLS_server_method(), NULL,
+ TLS1_VERSION, TLS_MAX_VERSION, &sctx2, NULL,
cert, privkey)) {
printf("Unable to create SSL_CTX pair (2)\n");
goto end;
diff --git a/test/sslcorrupttest.c b/test/sslcorrupttest.c
index 34ac8f7..5455bf4 100644
--- a/test/sslcorrupttest.c
+++ b/test/sslcorrupttest.c
@@ -185,8 +185,9 @@ static int test_ssl_corrupt(int testidx)
printf("Starting Test %d, %s\n", testidx, cipher_list[testidx]);
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), &sctx,
- &cctx, cert, privkey)) {
+ if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION, &sctx, &cctx,
+ cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
return 0;
}
diff --git a/test/ssltest_old.c b/test/ssltest_old.c
index 83e3e73..fccd2a4 100644
--- a/test/ssltest_old.c
+++ b/test/ssltest_old.c
@@ -1432,17 +1432,24 @@ int main(int argc, char *argv[])
} else if (tls1) {
min_version = TLS1_VERSION;
max_version = TLS1_VERSION;
+ } else {
+ min_version = SSL3_VERSION;
+ max_version = TLS_MAX_VERSION;
}
#endif
#ifndef OPENSSL_NO_DTLS
- if (dtls || dtls1 || dtls12)
+ if (dtls || dtls1 || dtls12) {
meth = DTLS_method();
- if (dtls1) {
- min_version = DTLS1_VERSION;
- max_version = DTLS1_VERSION;
- } else if (dtls12) {
- min_version = DTLS1_2_VERSION;
- max_version = DTLS1_2_VERSION;
+ if (dtls1) {
+ min_version = DTLS1_VERSION;
+ max_version = DTLS1_VERSION;
+ } else if (dtls12) {
+ min_version = DTLS1_2_VERSION;
+ max_version = DTLS1_2_VERSION;
+ } else {
+ min_version = DTLS_MIN_VERSION;
+ max_version = DTLS_MAX_VERSION;
+ }
}
#endif
@@ -1467,14 +1474,26 @@ int main(int argc, char *argv[])
SSL_CTX_set_options(s_ctx, SSL_OP_NO_TICKET);
}
- if (SSL_CTX_set_min_proto_version(c_ctx, min_version) == 0)
+ if (SSL_CTX_set_min_proto_version(c_ctx, min_version) == 0) {
+ printf("Unable to set client min protocol version (0x%X)\n",
+ min_version);
goto end;
- if (SSL_CTX_set_max_proto_version(c_ctx, max_version) == 0)
+ }
+ if (SSL_CTX_set_max_proto_version(c_ctx, max_version) == 0) {
+ printf("Unable to set client max protocol version (0x%X)\n",
+ max_version);
goto end;
- if (SSL_CTX_set_min_proto_version(s_ctx, min_version) == 0)
+ }
+ if (SSL_CTX_set_min_proto_version(s_ctx, min_version) == 0) {
+ printf("Unable to set server min protocol version (0x%X)\n",
+ min_version);
goto end;
- if (SSL_CTX_set_max_proto_version(s_ctx, max_version) == 0)
+ }
+ if (SSL_CTX_set_max_proto_version(s_ctx, max_version) == 0) {
+ printf("Unable to set server max protocol version (0x%X)\n",
+ max_version);
goto end;
+ }
if (cipher != NULL) {
if (!SSL_CTX_set_cipher_list(c_ctx, cipher)
diff --git a/test/ssltestlib.c b/test/ssltestlib.c
index 8725491..1babf7a 100644
--- a/test/ssltestlib.c
+++ b/test/ssltestlib.c
@@ -524,6 +524,7 @@ static int mempacket_test_puts(BIO *bio, const char *str)
}
int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
+ int min_proto_version, int max_proto_version,
SSL_CTX **sctx, SSL_CTX **cctx, char *certfile,
char *privkeyfile)
{
@@ -538,6 +539,30 @@ int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
goto err;
}
+ if (min_proto_version > 0
+ && !SSL_CTX_set_min_proto_version(serverctx, min_proto_version)) {
+ printf("Unable to set server min protocol versions\n");
+ goto err;
+ }
+ if (max_proto_version > 0
+ && !SSL_CTX_set_max_proto_version(serverctx, max_proto_version)) {
+ printf("Unable to set server max protocol versions\n");
+ goto err;
+ }
+
+ if (clientctx != NULL) {
+ if (min_proto_version > 0
+ && !SSL_CTX_set_max_proto_version(clientctx, max_proto_version)) {
+ printf("Unable to set client max protocol versions\n");
+ goto err;
+ }
+ if (max_proto_version > 0
+ && !SSL_CTX_set_min_proto_version(clientctx, min_proto_version)) {
+ printf("Unable to set client min protocol versions\n");
+ goto err;
+ }
+ }
+
if (SSL_CTX_use_certificate_file(serverctx, certfile,
SSL_FILETYPE_PEM) <= 0) {
printf("Failed to load server certificate\n");
diff --git a/test/ssltestlib.h b/test/ssltestlib.h
index bd9272f..eb7b886 100644
--- a/test/ssltestlib.h
+++ b/test/ssltestlib.h
@@ -13,6 +13,7 @@
# include <openssl/ssl.h>
int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
+ int min_proto_version, int max_proto_version,
SSL_CTX **sctx, SSL_CTX **cctx, char *certfile,
char *privkeyfile);
int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
index 88b048e..7d9cb37 100644
--- a/util/perl/TLSProxy/Proxy.pm
+++ b/util/perl/TLSProxy/Proxy.pm
@@ -178,7 +178,7 @@ sub start
$pid = fork();
if ($pid == 0) {
my $execcmd = $self->execute
- ." s_server -no_comp -rev -engine ossltest -accept "
+ ." s_server -max_protocol TLSv1.2 -no_comp -rev -engine ossltest -accept "
.($self->server_port)
." -cert ".$self->cert." -naccept ".$self->serverconnects;
unless ($self->supports_IPv6) {
@@ -215,7 +215,7 @@ sub clientstart
$echostr = "test";
}
my $execcmd = "echo ".$echostr." | ".$self->execute
- ." s_client -engine ossltest -connect "
+ ." s_client -max_protocol TLSv1.2 -engine ossltest -connect "
.($self->proxy_addr).":".($self->proxy_port);
unless ($self->supports_IPv6) {
$execcmd .= " -4";
More information about the openssl-commits
mailing list