The branch master has been updated via 5f21b440681db5aecf29fbd930d1d8c912fc99b4 (commit) via cb091295a9ff16f4de1a8b00be444d40ac068d04 (commit) via 88e09fe79b909fbfe266e87a2731f96c197726fb (commit) via b6306d8049b04dca7fa738a86c892c43ba6a5fc4 (commit) from 0488c0bbbe87eee3a800797b91350c653e9f1711 (commit)
- Log ----------------------------------------------------------------- commit 5f21b440681db5aecf29fbd930d1d8c912fc99b4 Author: Benjamin Kaduk <bka...@akamai.com> Date: Thu Dec 7 16:45:47 2017 -0600 Fix test_tls13messages with no-ocsp s_client -status is not available in this configuration. While here, remove an outdated TODO(TLS1.3) comment. Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4873) commit cb091295a9ff16f4de1a8b00be444d40ac068d04 Author: Benjamin Kaduk <bka...@akamai.com> Date: Thu Dec 7 16:37:54 2017 -0600 Wrap more of ocspapitest.c in OPENSSL_NO_OCSP make_dummy_resp() uses OCSP types, and get_cert_and_key() is unused once make_dummy_resp() is compiled out, so neither can be included in the build when OCSP is disabled and strict warnings are active. Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4873) commit 88e09fe79b909fbfe266e87a2731f96c197726fb Author: Benjamin Kaduk <bka...@akamai.com> Date: Thu Dec 7 14:23:35 2017 -0600 Fix coverity nit in handshake_helper.c There's no reason to wrap this call in TEST_true() if we're not checking the return value of TEST_true() -- all of the surrounding similar calls do not have the macro wrapping them. Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4873) commit b6306d8049b04dca7fa738a86c892c43ba6a5fc4 Author: Benjamin Kaduk <bka...@akamai.com> Date: Thu Dec 7 14:14:47 2017 -0600 Fix coverity-reported errors in ocspapitest Avoid memory leaks in error paths, and correctly apply parentheses to function calls in a long if-chain. Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4873) ----------------------------------------------------------------------- Summary of changes: test/handshake_helper.c | 4 +-- test/ocspapitest.c | 36 ++++++++++++--------- test/recipes/70-test_tls13messages.t | 61 ++++++++++++++++++------------------ 3 files changed, 55 insertions(+), 46 deletions(-) diff --git a/test/handshake_helper.c b/test/handshake_helper.c index 78eaa01..0add973 100644 --- a/test/handshake_helper.c +++ b/test/handshake_helper.c @@ -497,8 +497,8 @@ static int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, case TLSEXT_max_fragment_length_2048: case TLSEXT_max_fragment_length_4096: case TLSEXT_max_fragment_length_DISABLED: - TEST_true(SSL_CTX_set_tlsext_max_fragment_length( - client_ctx, extra->client.max_fragment_len_mode)); + SSL_CTX_set_tlsext_max_fragment_length( + client_ctx, extra->client.max_fragment_len_mode); break; } diff --git a/test/ocspapitest.c b/test/ocspapitest.c index e76f7243..43b03e3 100644 --- a/test/ocspapitest.c +++ b/test/ocspapitest.c @@ -21,6 +21,7 @@ static const char *certstr; static const char *privkeystr; +#ifndef OPENSSL_NO_OCSP static int get_cert_and_key(X509 **cert_out, EVP_PKEY **key_out) { BIO *certbio, *keybio; @@ -51,7 +52,8 @@ static OCSP_BASICRESP *make_dummy_resp(void) const unsigned char namestr[] = "openssl.example.com"; unsigned char keybytes[128] = {7}; OCSP_BASICRESP *bs = OCSP_BASICRESP_new(); - OCSP_CERTID *cid; + OCSP_BASICRESP *bs_out = NULL; + OCSP_CERTID *cid = NULL; ASN1_TIME *thisupd = ASN1_TIME_set(NULL, time(NULL)); ASN1_TIME *nextupd = ASN1_TIME_set(NULL, time(NULL) + 200); X509_NAME *name = X509_NAME_new(); @@ -60,9 +62,9 @@ static OCSP_BASICRESP *make_dummy_resp(void) if (!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC, namestr, -1, -1, 1) - || !ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes) - || !ASN1_INTEGER_set_uint64(serial, (uint64_t)1))) - return NULL; + || !ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes)) + || !ASN1_INTEGER_set_uint64(serial, (uint64_t)1)) + goto err; cid = OCSP_cert_id_new(EVP_sha256(), name, key, serial); if (!TEST_ptr(bs) || !TEST_ptr(thisupd) @@ -71,23 +73,27 @@ static OCSP_BASICRESP *make_dummy_resp(void) || !TEST_true(OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL, thisupd, nextupd))) - return NULL; + goto err; + bs_out = bs; + bs = NULL; + err: ASN1_TIME_free(thisupd); ASN1_TIME_free(nextupd); ASN1_BIT_STRING_free(key); ASN1_INTEGER_free(serial); OCSP_CERTID_free(cid); + OCSP_BASICRESP_free(bs); X509_NAME_free(name); - return bs; + return bs_out; } -#ifndef OPENSSL_NO_OCSP static int test_resp_signer(void) { - OCSP_BASICRESP *bs; + OCSP_BASICRESP *bs = NULL; X509 *signer = NULL, *tmp; EVP_PKEY *key = NULL; - STACK_OF(X509) *extra_certs; + STACK_OF(X509) *extra_certs = NULL; + int ret = 0; /* * Test a response with no certs at all; get the signer from the @@ -101,10 +107,10 @@ static int test_resp_signer(void) || !TEST_true(sk_X509_push(extra_certs, signer)) || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(), NULL, OCSP_NOCERTS))) - return 0; + goto err; if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, extra_certs)) || !TEST_int_eq(X509_cmp(tmp, signer), 0)) - return 0; + goto err; OCSP_BASICRESP_free(bs); /* Do it again but include the signer cert */ @@ -113,15 +119,17 @@ static int test_resp_signer(void) if (!TEST_ptr(bs) || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(), NULL, 0))) - return 0; + goto err; if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, NULL)) || !TEST_int_eq(X509_cmp(tmp, signer), 0)) - return 0; + goto err; + ret = 1; + err: OCSP_BASICRESP_free(bs); sk_X509_free(extra_certs); X509_free(signer); EVP_PKEY_free(key); - return 1; + return ret; } #endif diff --git a/test/recipes/70-test_tls13messages.t b/test/recipes/70-test_tls13messages.t index aaecbd3..5bd2a96 100644 --- a/test/recipes/70-test_tls13messages.t +++ b/test/recipes/70-test_tls13messages.t @@ -170,38 +170,39 @@ checkhandshake($proxy, checkhandshake::RESUME_HANDSHAKE, | checkhandshake::PSK_SRV_EXTENSION), "Resumption handshake test"); -#Test 3: A status_request handshake (client request only) -$proxy->clear(); -$proxy->clientflags("-status"); -$proxy->start(); -checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, - checkhandshake::DEFAULT_EXTENSIONS - | checkhandshake::STATUS_REQUEST_CLI_EXTENSION, - "status_request handshake test (client)"); +SKIP: { + skip "No OCSP support in this OpenSSL build", 3 + if disabled("ct") || disabled("ec") || disabled("ocsp"); + #Test 3: A status_request handshake (client request only) + $proxy->clear(); + $proxy->clientflags("-status"); + $proxy->start(); + checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::STATUS_REQUEST_CLI_EXTENSION, + "status_request handshake test (client)"); -#Test 4: A status_request handshake (server support only) -$proxy->clear(); -$proxy->serverflags("-status_file " - .srctop_file("test", "recipes", "ocsp-response.der")); -$proxy->start(); -checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, - checkhandshake::DEFAULT_EXTENSIONS, - "status_request handshake test (server)"); + #Test 4: A status_request handshake (server support only) + $proxy->clear(); + $proxy->serverflags("-status_file " + .srctop_file("test", "recipes", "ocsp-response.der")); + $proxy->start(); + checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS, + "status_request handshake test (server)"); -#Test 5: A status_request handshake (client and server) -#TODO(TLS1.3): TLS1.3 doesn't actually have CertificateStatus messages. This is -#a temporary test until such time as we do proper TLS1.3 style certificate -#status -$proxy->clear(); -$proxy->clientflags("-status"); -$proxy->serverflags("-status_file " - .srctop_file("test", "recipes", "ocsp-response.der")); -$proxy->start(); -checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, - checkhandshake::DEFAULT_EXTENSIONS - | checkhandshake::STATUS_REQUEST_CLI_EXTENSION - | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, - "status_request handshake test"); + #Test 5: A status_request handshake (client and server) + $proxy->clear(); + $proxy->clientflags("-status"); + $proxy->serverflags("-status_file " + .srctop_file("test", "recipes", "ocsp-response.der")); + $proxy->start(); + checkhandshake($proxy, checkhandshake::DEFAULT_HANDSHAKE, + checkhandshake::DEFAULT_EXTENSIONS + | checkhandshake::STATUS_REQUEST_CLI_EXTENSION + | checkhandshake::STATUS_REQUEST_SRV_EXTENSION, + "status_request handshake test"); +} #Test 6: A client auth handshake $proxy->clear(); _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits