diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2021-10-25 00:09:24 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2021-11-01 17:48:02 +0900 |
commit | 1ac7f23bb8568b41e511bbe5dfc85c141cc8b2c2 (patch) | |
tree | 47be3ba98451d90ac4b63b34fc2026a5726dc0e3 /test/openssl | |
parent | f0226f9a017e288d1c91f7a1777996804784fb8a (diff) |
[ruby/openssl] ssl: disallow reading/writing to unstarted SSL socket
OpenSSL::SSL::SSLSocket allowed #read and #write to be called before an
SSL/TLS handshake is completed. They passed unencrypted data to the
underlying socket.
This behavior is very odd to have in this library. A verbose mode
warning "SSL session is not started yet" was emitted whenever this
happened. It also didn't behave well with OpenSSL::Buffering. Let's
just get rid of it.
Fixes: https://github.com/ruby/openssl/issues/9
https://github.com/ruby/openssl/commit/bf780748b3
Diffstat (limited to 'test/openssl')
-rw-r--r-- | test/openssl/test_ssl.rb | 63 |
1 files changed, 12 insertions, 51 deletions
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 65dbe7ac24..70c46a9347 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -373,59 +373,20 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase } end - def test_read_nonblock_without_session - EnvUtil.suppress_warning do - start_server(start_immediately: false) { |port| - sock = TCPSocket.new("127.0.0.1", port) - ssl = OpenSSL::SSL::SSLSocket.new(sock) - ssl.sync_close = true - - assert_equal :wait_readable, ssl.read_nonblock(100, exception: false) - ssl.write("abc\n") - IO.select [ssl] - assert_equal('a', ssl.read_nonblock(1)) - assert_equal("bc\n", ssl.read_nonblock(100)) - assert_equal :wait_readable, ssl.read_nonblock(100, exception: false) - ssl.close - } - end - end - - def test_starttls - server_proc = -> (ctx, ssl) { - while line = ssl.gets - if line =~ /^STARTTLS$/ - ssl.write("x") - ssl.flush - ssl.accept - break - end - ssl.write(line) - end - readwrite_loop(ctx, ssl) - } - - EnvUtil.suppress_warning do # read/write on not started session - start_server(start_immediately: false, - server_proc: server_proc) { |port| - begin - sock = TCPSocket.new("127.0.0.1", port) - ssl = OpenSSL::SSL::SSLSocket.new(sock) - - ssl.puts "plaintext" - assert_equal "plaintext\n", ssl.gets + def test_unstarted_session + start_server do |port| + sock = TCPSocket.new("127.0.0.1", port) + ssl = OpenSSL::SSL::SSLSocket.new(sock) - ssl.puts("STARTTLS") - ssl.read(1) - ssl.connect + assert_raise(OpenSSL::SSL::SSLError) { ssl.syswrite("data") } + assert_raise(OpenSSL::SSL::SSLError) { ssl.sysread(1) } - ssl.puts "over-tls" - assert_equal "over-tls\n", ssl.gets - ensure - ssl&.close - sock&.close - end - } + ssl.connect + ssl.puts "abc" + assert_equal "abc\n", ssl.gets + ensure + ssl&.close + sock&.close end end |