[openssl] master update
Matt Caswell
matt at openssl.org
Thu Aug 20 16:14:07 UTC 2020
The branch master has been updated
via 8ca6c6669fb6ebd4412be7e243eefdaa6b88aec6 (commit)
via a361cb841d75eae2c1c385f869fbdb598d2c60a7 (commit)
from 2a33470b4f23bcf1cd66bbf645c855142efa0ed9 (commit)
- Log -----------------------------------------------------------------
commit 8ca6c6669fb6ebd4412be7e243eefdaa6b88aec6
Author: Matt Caswell <matt at openssl.org>
Date: Tue Aug 18 17:25:51 2020 +0100
Test mte with stitched ciphersuites in TLSv1.0
The previous commit fixed a bug with mte, stitched ciphersuites and
TLSv1.0. We now add a test for that scenario.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12670)
commit a361cb841d75eae2c1c385f869fbdb598d2c60a7
Author: Matt Caswell <matt at openssl.org>
Date: Tue Aug 18 12:28:45 2020 +0100
Fix stitched ciphersuites in TLS1.0
TLS1.0 does not have an explicit IV in the record, and therefore we should
not attempt to remove it.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12670)
-----------------------------------------------------------------------
Summary of changes:
.../ciphers/cipher_aes_cbc_hmac_sha.c | 22 ++++++
test/ssl-tests/19-mac-then-encrypt.cnf | 84 +++++++++++++++++++++-
test/ssl-tests/19-mac-then-encrypt.cnf.in | 53 ++++++++++++++
3 files changed, 158 insertions(+), 1 deletion(-)
diff --git a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
index ae853b7eb9..9c927352a2 100644
--- a/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
+++ b/providers/implementations/ciphers/cipher_aes_cbc_hmac_sha.c
@@ -16,6 +16,8 @@
/* Dispatch functions for AES_CBC_HMAC_SHA ciphers */
+/* Only for SSL3_VERSION and TLS1_VERSION */
+#include <openssl/ssl.h>
#include "cipher_aes_cbc_hmac_sha.h"
#include "prov/implementations.h"
@@ -172,6 +174,26 @@ static int aes_set_ctx_params(void *vctx, const OSSL_PARAM params[])
return 0;
}
}
+
+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_TLS_VERSION);
+ if (p != NULL) {
+ if (!OSSL_PARAM_get_uint(p, &ctx->base.tlsversion)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
+ return 0;
+ }
+ if (ctx->base.tlsversion == SSL3_VERSION
+ || ctx->base.tlsversion == TLS1_VERSION) {
+ if (!ossl_assert(ctx->base.removetlspad >= AES_BLOCK_SIZE)) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ /*
+ * There is no explicit IV with these TLS versions, so don't attempt
+ * to remove it.
+ */
+ ctx->base.removetlspad -= AES_BLOCK_SIZE;
+ }
+ }
return ret;
}
diff --git a/test/ssl-tests/19-mac-then-encrypt.cnf b/test/ssl-tests/19-mac-then-encrypt.cnf
index 0dd384ea6c..803c2c0c0f 100644
--- a/test/ssl-tests/19-mac-then-encrypt.cnf
+++ b/test/ssl-tests/19-mac-then-encrypt.cnf
@@ -1,6 +1,6 @@
# Generated with generate_ssl_tests.pl
-num_tests = 6
+num_tests = 9
test-0 = 0-disable-encrypt-then-mac-server-sha
test-1 = 1-disable-encrypt-then-mac-client-sha
@@ -8,6 +8,9 @@ test-2 = 2-disable-encrypt-then-mac-both-sha
test-3 = 3-disable-encrypt-then-mac-server-sha2
test-4 = 4-disable-encrypt-then-mac-client-sha2
test-5 = 5-disable-encrypt-then-mac-both-sha2
+test-6 = 6-disable-encrypt-then-mac-server-sha-tls1
+test-7 = 7-disable-encrypt-then-mac-client-sha-tls1
+test-8 = 8-disable-encrypt-then-mac-both-sha-tls1
# ===========================================================
[0-disable-encrypt-then-mac-server-sha]
@@ -160,3 +163,82 @@ VerifyMode = Peer
ExpectedResult = Success
+# ===========================================================
+
+[6-disable-encrypt-then-mac-server-sha-tls1]
+ssl_conf = 6-disable-encrypt-then-mac-server-sha-tls1-ssl
+
+[6-disable-encrypt-then-mac-server-sha-tls1-ssl]
+server = 6-disable-encrypt-then-mac-server-sha-tls1-server
+client = 6-disable-encrypt-then-mac-server-sha-tls1-client
+
+[6-disable-encrypt-then-mac-server-sha-tls1-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT:@SECLEVEL=0
+Options = -EncryptThenMac
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[6-disable-encrypt-then-mac-server-sha-tls1-client]
+CipherString = AES128-SHA at SECLEVEL=0
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-6]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[7-disable-encrypt-then-mac-client-sha-tls1]
+ssl_conf = 7-disable-encrypt-then-mac-client-sha-tls1-ssl
+
+[7-disable-encrypt-then-mac-client-sha-tls1-ssl]
+server = 7-disable-encrypt-then-mac-client-sha-tls1-server
+client = 7-disable-encrypt-then-mac-client-sha-tls1-client
+
+[7-disable-encrypt-then-mac-client-sha-tls1-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT:@SECLEVEL=0
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[7-disable-encrypt-then-mac-client-sha-tls1-client]
+CipherString = AES128-SHA at SECLEVEL=0
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
+Options = -EncryptThenMac
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-7]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[8-disable-encrypt-then-mac-both-sha-tls1]
+ssl_conf = 8-disable-encrypt-then-mac-both-sha-tls1-ssl
+
+[8-disable-encrypt-then-mac-both-sha-tls1-ssl]
+server = 8-disable-encrypt-then-mac-both-sha-tls1-server
+client = 8-disable-encrypt-then-mac-both-sha-tls1-client
+
+[8-disable-encrypt-then-mac-both-sha-tls1-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT:@SECLEVEL=0
+Options = -EncryptThenMac
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[8-disable-encrypt-then-mac-both-sha-tls1-client]
+CipherString = AES128-SHA at SECLEVEL=0
+MaxProtocol = TLSv1
+MinProtocol = TLSv1
+Options = -EncryptThenMac
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-8]
+ExpectedResult = Success
+
+
diff --git a/test/ssl-tests/19-mac-then-encrypt.cnf.in b/test/ssl-tests/19-mac-then-encrypt.cnf.in
index 32b7b7dfdb..074b1d1380 100644
--- a/test/ssl-tests/19-mac-then-encrypt.cnf.in
+++ b/test/ssl-tests/19-mac-then-encrypt.cnf.in
@@ -13,6 +13,8 @@ package ssltests;
use OpenSSL::Test::Utils;
+our $fips_mode;
+
our @tests = (
{
name => "disable-encrypt-then-mac-server-sha",
@@ -99,4 +101,55 @@ my @tests_tls1_2 = (
},
);
+our @tests_tls1 = (
+ {
+ name => "disable-encrypt-then-mac-server-sha-tls1",
+ server => {
+ "CipherString" => 'DEFAULT:@SECLEVEL=0',
+ "Options" => "-EncryptThenMac",
+ },
+ client => {
+ "CipherString" => 'AES128-SHA at SECLEVEL=0',
+ "MinProtocol" => "TLSv1",
+ "MaxProtocol" => "TLSv1"
+ },
+ test => {
+ "ExpectedResult" => "Success",
+ },
+ },
+ {
+ name => "disable-encrypt-then-mac-client-sha-tls1",
+ server => {
+ "CipherString" => 'DEFAULT:@SECLEVEL=0',
+ },
+ client => {
+ "CipherString" => 'AES128-SHA at SECLEVEL=0',
+ "Options" => "-EncryptThenMac",
+ "MinProtocol" => "TLSv1",
+ "MaxProtocol" => "TLSv1"
+ },
+ test => {
+ "ExpectedResult" => "Success",
+ },
+ },
+ {
+ name => "disable-encrypt-then-mac-both-sha-tls1",
+ server => {
+ "CipherString" => 'DEFAULT:@SECLEVEL=0',
+ "Options" => "-EncryptThenMac",
+ },
+ client => {
+ "CipherString" => 'AES128-SHA at SECLEVEL=0',
+ "Options" => "-EncryptThenMac",
+ "MinProtocol" => "TLSv1",
+ "MaxProtocol" => "TLSv1"
+ },
+ test => {
+ "ExpectedResult" => "Success",
+ },
+ },
+);
+
+
push @tests, @tests_tls1_2 unless disabled("tls1_2");
+push @tests, @tests_tls1 unless disabled("tls1") || $fips_mode;
More information about the openssl-commits
mailing list