Re: [openssl-dev] FW: 1.1 master fails mac-then-encrypt test

2016-11-30 Thread Blumenthal, Uri - 0553 - MITLL 
I confirm that this fix (currently in the master) resolves the issue.

Thanks!
— 
Regards,
Uri


On 11/29/16, 4:53 AM, "openssl-dev on behalf of Matt Caswell" 
 wrote:



On 28/11/16 23:00, Blumenthal, Uri - 0553 - MITLL wrote:
> > The problem is in the test. Version negotiation happens before 
cipher
> > selection. The test creates a connection which negotiates TLSv1.3. 
It
> > then attempts to select a cipher. However no TLSv1.3 ciphers are 
offered
> > by the test so the connection aborts. In truth the test is all about
> > mac-then-encrypt which doesn't apply to TLSv1.3 anyway, so the test
> > should just disable negotiation of that protocol version.
> 
> Thanks for explaining! 
> 
> Would you be able to push a fix for this test?

Fix is in github:

https://github.com/openssl/openssl/pull/2013

Matt

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev



smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] FW: 1.1 master fails mac-then-encrypt test

2016-11-29 Thread Matt Caswell 


On 28/11/16 23:00, Blumenthal, Uri - 0553 - MITLL wrote:
> > The problem is in the test. Version negotiation happens before cipher
> > selection. The test creates a connection which negotiates TLSv1.3. It
> > then attempts to select a cipher. However no TLSv1.3 ciphers are offered
> > by the test so the connection aborts. In truth the test is all about
> > mac-then-encrypt which doesn't apply to TLSv1.3 anyway, so the test
> > should just disable negotiation of that protocol version.
> 
> Thanks for explaining! 
> 
> Would you be able to push a fix for this test?

Fix is in github:

https://github.com/openssl/openssl/pull/2013

Matt

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] FW: 1.1 master fails mac-then-encrypt test

2016-11-28 Thread Blumenthal, Uri - 0553 - MITLL 
> The problem is in the test. Version negotiation happens before cipher
> selection. The test creates a connection which negotiates TLSv1.3. It
> then attempts to select a cipher. However no TLSv1.3 ciphers are offered
> by the test so the connection aborts. In truth the test is all about
> mac-then-encrypt which doesn't apply to TLSv1.3 anyway, so the test
> should just disable negotiation of that protocol version.

Thanks for explaining! 

Would you be able to push a fix for this test?


smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] FW: 1.1 master fails mac-then-encrypt test

2016-11-28 Thread Matt Caswell 


On 28/11/16 21:58, Blumenthal, Uri - 0553 - MITLL wrote:
>> I can't reproduce this. But on the other hand I don't have previous
> >installation on --prefix. 
> 
> But did you add “enable-tls1_3” to your config?
> 
> >I mean I would guess this is because test
> >program picks shared libraries at --prefix locations instead of just
> >built ones, and those don't recognize 19-mac-then-encrypt.conf options.
> >Originally shlib_wrap.sh had DYLD_INSERT_LIBRARIES to make it work, but
> >it appears to be gone now... You should be able to confirm this by
> >temporarily renaming --prefix location and running 'make test' or
> >forcing install without testing...
> 
> I forced the install without testing, and then re-ran the entire build and 
> test. I’m getting the very same problem.  I must also say that I’ve been 
> tracking 1.1 branch for a very long time, always using this approach (without 
> even forcing the install – it did not seem confused regarding what libraries 
> to link against). 
> 
> The only thing that changed for this build now was addition of 
> “enable-tls1_3” config option (and of course, pulling the latest stuff from 
> the master).
> 
> Removing “enable-tls1_3” and reconfiguring makes this error disappear. So I 
> think it’s somewhere in tls1_3 code. ;-)

The problem is in the test. Version negotiation happens before cipher
selection. The test creates a connection which negotiates TLSv1.3. It
then attempts to select a cipher. However no TLSv1.3 ciphers are offered
by the test so the connection aborts. In truth the test is all about
mac-then-encrypt which doesn't apply to TLSv1.3 anyway, so the test
should just disable negotiation of that protocol version.

Matt

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] FW: 1.1 master fails mac-then-encrypt test

2016-11-28 Thread Andy Polyakov 
>> I can't reproduce this. But on the other hand I don't have previous
> >installation on --prefix. 
> 
> But did you add “enable-tls1_3” to your config?
> 
> >I mean I would guess this is because test
> >program picks shared libraries at --prefix locations instead of just
> >built ones, and those don't recognize 19-mac-then-encrypt.conf options.
> >Originally shlib_wrap.sh had DYLD_INSERT_LIBRARIES to make it work, but
> >it appears to be gone now... You should be able to confirm this by
> >temporarily renaming --prefix location and running 'make test' or
> >forcing install without testing...
> 
> I forced the install without testing, and then re-ran the entire build and 
> test. I’m getting the very same problem.  I must also say that I’ve been 
> tracking 1.1 branch for a very long time, always using this approach (without 
> even forcing the install – it did not seem confused regarding what libraries 
> to link against). 
> 
> The only thing that changed for this build now was addition of 
> “enable-tls1_3” config option (and of course, pulling the latest stuff from 
> the master).
> 
> Removing “enable-tls1_3” and reconfiguring makes this error disappear. So I 
> think it’s somewhere in tls1_3 code. ;-)

Oh! Missed that. I was concentrated on the fact that it was reported in
MacOS X context... Since it's not my platform of choice I ran only first
suggested test. But it appears that it's actually not os-specific and
can be reproduced even on Linux. Sorry about misleading the discussion.

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] FW: 1.1 master fails mac-then-encrypt test

2016-11-28 Thread Blumenthal, Uri - 0553 - MITLL 
>I can't reproduce this. But on the other hand I don't have previous
>installation on --prefix. 

But did you add “enable-tls1_3” to your config?

>I mean I would guess this is because test
>program picks shared libraries at --prefix locations instead of just
>built ones, and those don't recognize 19-mac-then-encrypt.conf options.
>Originally shlib_wrap.sh had DYLD_INSERT_LIBRARIES to make it work, but
>it appears to be gone now... You should be able to confirm this by
>temporarily renaming --prefix location and running 'make test' or
>forcing install without testing...

I forced the install without testing, and then re-ran the entire build and 
test. I’m getting the very same problem.  I must also say that I’ve been 
tracking 1.1 branch for a very long time, always using this approach (without 
even forcing the install – it did not seem confused regarding what libraries to 
link against). 

The only thing that changed for this build now was addition of “enable-tls1_3” 
config option (and of course, pulling the latest stuff from the master).

Removing “enable-tls1_3” and reconfiguring makes this error disappear. So I 
think it’s somewhere in tls1_3 code. ;-)


smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] FW: 1.1 master fails mac-then-encrypt test

2016-11-28 Thread Andy Polyakov 
> Mac OS X 10.11.6, Xcode-8.1. 
> 
> $ ./Configure darwin64-x86_64-cc enable-threads enable-shared enable-zlib 
> enable-ec_nistp_64_gcc_128 enable-rfc3779 
> --prefix=/Users/ur20980/src/openssl-1.1 
> --openssldir=/Users/ur20980/src/openssl-1.1/etc
> Configuring OpenSSL version 1.1.1-dev (0x10101000L)
> no-asan [default]  OPENSSL_NO_ASAN
> no-crypto-mdebug [default]  OPENSSL_NO_CRYPTO_MDEBUG
> no-crypto-mdebug-backtrace [default]  
> OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
> no-egd  [default]  OPENSSL_NO_EGD
> no-external-tests [default]  OPENSSL_NO_EXTERNAL_TESTS
> no-fuzz-afl [default]  OPENSSL_NO_FUZZ_AFL
> no-fuzz-libfuzzer [default]  OPENSSL_NO_FUZZ_LIBFUZZER
> no-heartbeats   [default]  OPENSSL_NO_HEARTBEATS
> no-md2  [default]  OPENSSL_NO_MD2 (skip dir)
> no-msan [default]  OPENSSL_NO_MSAN
> no-rc5  [default]  OPENSSL_NO_RC5 (skip dir)
> no-sctp [default]  OPENSSL_NO_SCTP
> no-ssl-trace[default]  OPENSSL_NO_SSL_TRACE
> no-ssl3 [default]  OPENSSL_NO_SSL3
> no-ssl3-method  [default]  OPENSSL_NO_SSL3_METHOD
> no-tls1_3   [default]  OPENSSL_NO_TLS1_3
> no-ubsan[default]  OPENSSL_NO_UBSAN
> no-unit-test[default]  OPENSSL_NO_UNIT_TEST
> no-weak-ssl-ciphers [default]  OPENSSL_NO_WEAK_SSL_CIPHERS
> no-zlib-dynamic [default] 
> Configuring for darwin64-x86_64-cc
> 
> PERL  =/opt/local/bin/perl5.24
> PERLVERSION   =5.24.0 for darwin-thread-multi-2level
> HASHBANGPERL  =/usr/bin/env perl
> CC=clang
> CFLAG =-O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall 
> CXX   =clang++
> CXXFLAG   =-O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall 
> DEFINES   =ZLIB DSO_DLFCN HAVE_DLFCN_H NDEBUG OPENSSL_THREADS 
> OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT 
> OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM 
> RC4_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM 
> PADLOCK_ASM POLY1305_ASM
> EX_LIBS   =-lz 
> $ ./Configure darwin64-x86_64-cc enable-threads enable-shared enable-zlib 
> enable-ec_nistp_64_gcc_128 enable-rfc3779 enable-rc5 enable-tls1_3 
> --prefix=/Users/ur20980/src/openssl-1.1 
> --openssldir=/Users/ur20980/src/openssl-1.1/etc
> Configuring OpenSSL version 1.1.1-dev (0x10101000L)
> no-asan [default]  OPENSSL_NO_ASAN
> no-crypto-mdebug [default]  OPENSSL_NO_CRYPTO_MDEBUG
> no-crypto-mdebug-backtrace [default]  
> OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
> no-egd  [default]  OPENSSL_NO_EGD
> no-external-tests [default]  OPENSSL_NO_EXTERNAL_TESTS
> no-fuzz-afl [default]  OPENSSL_NO_FUZZ_AFL
> no-fuzz-libfuzzer [default]  OPENSSL_NO_FUZZ_LIBFUZZER
> no-heartbeats   [default]  OPENSSL_NO_HEARTBEATS
> no-md2  [default]  OPENSSL_NO_MD2 (skip dir)
> no-msan [default]  OPENSSL_NO_MSAN
> no-sctp [default]  OPENSSL_NO_SCTP
> no-ssl-trace[default]  OPENSSL_NO_SSL_TRACE
> no-ssl3 [default]  OPENSSL_NO_SSL3
> no-ssl3-method  [default]  OPENSSL_NO_SSL3_METHOD
> no-ubsan[default]  OPENSSL_NO_UBSAN
> no-unit-test[default]  OPENSSL_NO_UNIT_TEST
> no-weak-ssl-ciphers [default]  OPENSSL_NO_WEAK_SSL_CIPHERS
> no-zlib-dynamic [default] 
> Configuring for darwin64-x86_64-cc
> 
> PERL  =/opt/local/bin/perl5.24
> PERLVERSION   =5.24.0 for darwin-thread-multi-2level
> HASHBANGPERL  =/usr/bin/env perl
> CC=clang
> CFLAG =-O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall 
> CXX   =clang++
> CXXFLAG   =-O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall 
> DEFINES   =ZLIB DSO_DLFCN HAVE_DLFCN_H NDEBUG OPENSSL_THREADS 
> OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT 
> OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM 
> RC4_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM 
> PADLOCK_ASM POLY1305_ASM
> EX_LIBS   =-lz 
> $ make depend && make clean && make -j 4 all && make test && make install
> . . . . .
> 
> ../test/recipes/80-test_ssl_new.t .. 15/19 
> #   Failed test 'running ssl_test 19-mac-then-encrypt.conf'
> #   at ../test/recipes/80-test_ssl_new.t line 121.
> # Looks like you failed 1 test of 3.
> 
> #   Failed test 'Test configuration 19-mac-then-encrypt.conf'
> #   at ../test/recipes/80-test_ssl_new.t line 87.
> # Looks like you failed 1 test of 19.
> ../test/recipes/80-test_ssl_new.t .. Dubious, test returned 1 
> (wstat 256, 0x100)
> Failed 1/19 subtests 
> . . . . .

I can't