[openssl] master update
Matt Caswell
matt at openssl.org
Tue Apr 21 13:50:55 UTC 2020
The branch master has been updated
via eb7598039683971b020a3d1395b2ca1257579a59 (commit)
via 62ba834554d8795cb247a3a6fd630b56f1716709 (commit)
from 1e78a50f5a9d4874e910a3b42f10c176197aea88 (commit)
- Log -----------------------------------------------------------------
commit eb7598039683971b020a3d1395b2ca1257579a59
Author: Matt Caswell <matt at openssl.org>
Date: Mon Apr 20 17:06:40 2020 +0100
Fix an ssl_test_old test failure
In builds where SSLv3 is enabled ssl_test_old was failing. We need to
make sure we disable SSLv3 related tests when using the FIPS provider.
[extended tests]
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11586)
commit 62ba834554d8795cb247a3a6fd630b56f1716709
Author: Matt Caswell <matt at openssl.org>
Date: Mon Apr 20 17:04:57 2020 +0100
Fix test_ssl_new test failure
A couple of fetches of the MD5 and SHA1 digests were not using the
libctx in libssl and causing test_ssl_new to fail in travis. This
only occurs on builds with SSLv3 enabled (its disabled by default).
[extended tests]
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11586)
-----------------------------------------------------------------------
Summary of changes:
ssl/s3_enc.c | 10 ++++++----
test/recipes/80-test_ssl_old.t | 3 +++
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 76bea32dbd..f67f47a933 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -17,7 +17,7 @@
static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
{
- EVP_MD *md5;
+ const EVP_MD *md5 = NULL, *sha1 = NULL;
EVP_MD_CTX *m5;
EVP_MD_CTX *s1;
unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
@@ -29,10 +29,11 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
c = os_toascii[c]; /* 'A' in ASCII */
#endif
k = 0;
- md5 = EVP_MD_fetch(NULL, OSSL_DIGEST_NAME_MD5, "-fips");
+ md5 = ssl_evp_md_fetch(s->ctx->libctx, NID_md5, s->ctx->propq);
+ sha1 = ssl_evp_md_fetch(s->ctx->libctx, NID_sha1, s->ctx->propq);
m5 = EVP_MD_CTX_new();
s1 = EVP_MD_CTX_new();
- if (md5 == NULL || m5 == NULL || s1 == NULL) {
+ if (md5 == NULL || sha1 == NULL || m5 == NULL || s1 == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK,
ERR_R_MALLOC_FAILURE);
goto err;
@@ -49,7 +50,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
for (j = 0; j < k; j++)
buf[j] = c;
c++;
- if (!EVP_DigestInit_ex(s1, EVP_sha1(), NULL)
+ if (!EVP_DigestInit_ex(s1, sha1, NULL)
|| !EVP_DigestUpdate(s1, buf, k)
|| !EVP_DigestUpdate(s1, s->session->master_key,
s->session->master_key_length)
@@ -87,6 +88,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
EVP_MD_CTX_free(m5);
EVP_MD_CTX_free(s1);
ssl_evp_md_free(md5);
+ ssl_evp_md_free(sha1);
return ret;
}
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index e065821719..78bb89338b 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -361,6 +361,9 @@ sub testssl {
skip "SSLv3 is not supported by this OpenSSL build", 4
if disabled("ssl3");
+ skip "SSLv3 is not supported by the FIPS provider", 4
+ if $provider eq "fips";
+
ok(run(test([@ssltest, "-bio_pair", "-ssl3"])),
'test sslv3 via BIO pair');
ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA])),
More information about the openssl-commits
mailing list