summaryrefslogtreecommitdiff
path: root/test/openssl
diff options
context:
space:
mode:
authorrhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2016-09-08 01:09:19 +0000
committerrhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2016-09-08 01:09:19 +0000
commita128c0d33f1d7a66c2c8c5d57fde40acd97becae (patch)
tree6b5d9600c76e8432c1d22e9ef9223910e8162d0f /test/openssl
parentba6ae341bab83dfc7a624c5bf20d8d162dacaff9 (diff)
openssl: import v2.0.0.beta.2
* {ext,test}/openssl: Import Ruby/OpenSSL 2.0.0.beta.2. The full commit history since v2.0.0.beta.1 can be found at: https://github.com/ruby/openssl/compare/v2.0.0.beta.1...v2.0.0.beta.2 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56098 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test/openssl')
-rw-r--r--test/openssl/test_pair.rb157
-rw-r--r--test/openssl/test_pkcs12.rb106
-rw-r--r--test/openssl/test_ssl.rb681
-rw-r--r--test/openssl/test_ssl_session.rb12
-rw-r--r--test/openssl/utils.rb24
5 files changed, 433 insertions, 547 deletions
diff --git a/test/openssl/test_pair.rb b/test/openssl/test_pair.rb
index 92502229792..7d962c385ab 100644
--- a/test/openssl/test_pair.rb
+++ b/test/openssl/test_pair.rb
@@ -113,11 +113,25 @@ module OpenSSL::TestPairM
}
end
+ def test_gets
+ ssl_pair {|s1, s2|
+ s1 << "abc\n\n$def123ghi"
+ s1.close
+ ret = s2.gets
+ assert_equal Encoding::BINARY, ret.encoding
+ assert_equal "abc\n", ret
+ assert_equal "\n$", s2.gets("$")
+ assert_equal "def123", s2.gets(/\d+/)
+ assert_equal "ghi", s2.gets
+ assert_equal nil, s2.gets
+ }
+ end
+
def test_gets_eof_limit
ssl_pair {|s1, s2|
s1.write("hello")
s1.close # trigger EOF
- assert_match "hello", s2.gets("\n", 6), "[ruby-core:70149] [Bug #11140]"
+ assert_match "hello", s2.gets("\n", 6), "[ruby-core:70149] [Bug #11400]"
}
end
@@ -344,147 +358,6 @@ module OpenSSL::TestPairM
serv.close if serv && !serv.closed?
end
- def test_connect_works_when_setting_dh_callback_to_nil
- ctx2 = OpenSSL::SSL::SSLContext.new
- ctx2.ciphers = "DH"
- ctx2.security_level = 0
- ctx2.tmp_dh_callback = nil
- sock1, sock2 = tcp_pair
- s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
- s2.accept_nonblock(exception: false)
-
- ctx1 = OpenSSL::SSL::SSLContext.new
- ctx1.ciphers = "DH"
- ctx1.security_level = 0
- ctx1.tmp_dh_callback = nil
- s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
- t = Thread.new { s1.connect }
-
- EnvUtil.suppress_warning { # uses default callback
- assert_nothing_raised { s2.accept }
- }
- assert_equal s1, t.value
- ensure
- t.join if t
- s1.close if s1
- s2.close if s2
- sock1.close if sock1
- sock2.close if sock2
- end
-
- def test_connect_without_setting_dh_callback
- ctx2 = OpenSSL::SSL::SSLContext.new
- ctx2.ciphers = "DH"
- ctx2.security_level = 0
- sock1, sock2 = tcp_pair
- s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
- s2.accept_nonblock(exception: false)
-
- ctx1 = OpenSSL::SSL::SSLContext.new
- ctx1.ciphers = "DH"
- ctx1.security_level = 0
- s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
- t = Thread.new { s1.connect }
-
- EnvUtil.suppress_warning { # default DH
- assert_nothing_raised { s2.accept }
- }
- assert_equal s1, t.value
- ensure
- t.join if t
- s1.close if s1
- s2.close if s2
- sock1.close if sock1
- sock2.close if sock2
- end
-
- def test_ecdh_callback
- return unless OpenSSL::SSL::SSLContext.instance_methods.include?(:tmp_ecdh_callback)
- EnvUtil.suppress_warning do # tmp_ecdh_callback is deprecated (2016-05)
- begin
- called = false
- ctx2 = OpenSSL::SSL::SSLContext.new
- ctx2.ciphers = "ECDH"
- # OpenSSL 1.1.0 doesn't have tmp_ecdh_callback so this shouldn't be required
- ctx2.security_level = 0
- ctx2.tmp_ecdh_callback = ->(*args) {
- called = true
- OpenSSL::PKey::EC.new "prime256v1"
- }
-
- sock1, sock2 = tcp_pair
-
- s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
- ctx1 = OpenSSL::SSL::SSLContext.new
- ctx1.ciphers = "ECDH"
- ctx1.security_level = 0
-
- s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
- th = Thread.new do
- begin
- rv = s1.connect_nonblock(exception: false)
- case rv
- when :wait_writable
- IO.select(nil, [s1], nil, 5)
- when :wait_readable
- IO.select([s1], nil, nil, 5)
- end
- end until rv == s1
- end
-
- s2.accept
- assert called, 'ecdh callback should be called'
- rescue OpenSSL::SSL::SSLError => e
- if e.message =~ /no cipher match/
- pend "ECDH cipher not supported."
- else
- raise e
- end
- ensure
- th.join if th
- s1.close if s1
- s2.close if s2
- sock1.close if sock1
- sock2.close if sock2
- end
- end
- end
-
- def test_ecdh_curves
- sock1, sock2 = tcp_pair
-
- ctx1 = OpenSSL::SSL::SSLContext.new
- begin
- ctx1.ciphers = "ECDH"
- rescue OpenSSL::SSL::SSLError
- pend "ECDH is not enabled in this OpenSSL" if $!.message =~ /no cipher match/
- raise
- end
- ctx1.ecdh_curves = "P-384:P-521"
- ctx1.security_level = 0
- s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
-
- ctx2 = OpenSSL::SSL::SSLContext.new
- ctx2.ciphers = "ECDH"
- ctx2.ecdh_curves = "P-256:P-384"
- ctx2.security_level = 0
- s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
-
- th = Thread.new { s1.accept }
- s2.connect
-
- assert s2.cipher[0].start_with?("AECDH"), "AECDH should be used"
- if s2.respond_to?(:tmp_key)
- assert_equal "secp384r1", s2.tmp_key.group.curve_name
- end
- ensure
- th.join if th
- s1.close if s1
- s2.close if s2
- sock1.close if sock1
- sock2.close if sock2
- end
-
def test_connect_accept_nonblock_no_exception
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.ciphers = "ADH"
diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb
index 7ab501c4807..4f2544dfeef 100644
--- a/test/openssl/test_pkcs12.rb
+++ b/test/openssl/test_pkcs12.rb
@@ -180,6 +180,112 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=
end
end
+ def test_new_with_one_key_and_one_cert
+ # generated with:
+ # openssl version #=> OpenSSL 1.0.2h 3 May 2016
+ # openssl pkcs12 -in <@mycert> -inkey <RSA1024> -export -out <out>
+ str = <<~EOF.unpack("m").first
+MIIGQQIBAzCCBgcGCSqGSIb3DQEHAaCCBfgEggX0MIIF8DCCAu8GCSqGSIb3DQEH
+BqCCAuAwggLcAgEAMIIC1QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIeZPM
+Rh6KiXgCAggAgIICqL6O+LCZmBzdIg6mozPF3FpY0hVbWHvTNMiDHieW3CrAanhN
+YCH2/wHqH8WpFpEWwF0qEEXAWjHsIlYB4Cfqo6b7XpuZe5eVESsjNTOTMF1JCUJj
+A6iNefXmCFLync1JK5LUodRDhTlKLU1WPK20X9X4vuEwHn8wt5RUb8P0E+Xh6rpS
+XC4LkZKT45zF3cJa/n5+dW65ohVGNVnF9D1bCNEKHMOllK1V9omutQ9slW88hpga
+LGiFsJoFOb/ESGb78KO+bd6zbX1MdKdBV+WD6t1uF/cgU65y+2A4nXs1urda+MJ7
+7iVqiB7Vnc9cANTbAkTSGNyoUDVM/NZde782/8IvddLAzUZ2EftoRDke6PvuBOVL
+ljBhNWmdamrtBqzuzVZCRdWq44KZkF2Xoc9asepwIkdVmntzQF7f1Z+Ta5yg6HFp
+xnr7CuM+MlHEShXkMgYtHnwAq10fDMSXIvjhi/AA5XUAusDO3D+hbtcRDcJ4uUes
+dm5dhQE2qJ02Ysn4aH3o1F3RYNOzrxejHJwl0D2TCE8Ww2X342xib57+z9u03ufj
+jswhiMKxy67f1LhUMq3XrT3uV6kCVXk/KUOUPcXPlPVNA5JmZeFhMp6GrtB5xJJ9
+wwBZD8UL5A2U2Mxi2OZsdUBv8eo3jnjZ284aFpt+mCjIHrLW5O0jwY8OCwSlYUoY
+IY00wlabX0s82kBcIQNZbC1RSV2267ro/7A0MClc8YQ/zWN0FKY6apgtUkHJI1cL
+1dc77mhnjETjwW94iLMDFy4zQfVu7IfCBqOBzygRNnqqUG66UhTs1xFnWM0mWXl/
+Zh9+AMpbRLIPaKCktIjl5juzzm+KEgkhD+707XRCFIGUYGP5bSHzGaz8PK9hj0u1
+E2SpZHUvYOcawmxtA7pmpSxl5uQjMIIC+QYJKoZIhvcNAQcBoIIC6gSCAuYwggLi
+MIIC3gYLKoZIhvcNAQwKAQKgggKmMIICojAcBgoqhkiG9w0BDAEDMA4ECKB338m8
+qSzHAgIIAASCAoACFhJeqA3xx+s1qIH6udNQYY5hAL6oz7SXoGwFhDiceSyJjmAD
+Dby9XWM0bPl1Gj5nqdsuI/lAM++fJeoETk+rxw8q6Ofk2zUaRRE39qgpwBwSk44o
+0SAFJ6bzHpc5CFh6sZmDaUX5Lm9GtjnGFmmsPTSJT5an5JuJ9WczGBEd0nSBQhJq
+xHbTGZiN8i3SXcIH531Sub+CBIFWy5lyCKgDYh/kgJFGQAaWUOjLI+7dCEESonXn
+F3Jh2uPbnDF9MGJyAFoNgWFhgSpi1cf6AUi87GY4Oyur88ddJ1o0D0Kz2uw8/bpG
+s3O4PYnIW5naZ8mozzbnYByEFk7PoTwM7VhoFBfYNtBoAI8+hBnPY/Y71YUojEXf
+SeX6QbtkIANfzS1XuFNKElShC3DPQIHpKzaatEsfxHfP+8VOav6zcn4mioao7NHA
+x7Dp6R1enFGoQOq4UNjBT8YjnkG5vW8zQHW2dAHLTJBq6x2Fzm/4Pjo/8vM1FiGl
+BQdW5vfDeJ/l6NgQm3xR9ka2E2HaDqIcj1zWbN8jy/bHPFJYuF/HH8MBV/ngMIXE
+vFEW/ToYv8eif0+EpUtzBsCKD4a7qYYYh87RmEVoQU96q6m+UbhpD2WztYfAPkfo
+OSL9j2QHhVczhL7OAgqNeM95pOsjA9YMe7exTeqK31LYnTX8oH8WJD1xGbRSJYgu
+SY6PQbumcJkc/TFPn0GeVUpiDdf83SeG50lo/i7UKQi2l1hi5Y51fQhnBnyMr68D
+llSZEvSWqfDxBJkBpeg6PIYvkTpEwKRJpVQoM3uYvdqVSSnW6rydqIb+snfOrlhd
+f+xCtq9xr+kHeTSqLIDRRAnMfgFRhY3IBlj6MSUwIwYJKoZIhvcNAQkVMRYEFBdb
+8XGWehZ6oPj56Pf/uId46M9AMDEwITAJBgUrDgMCGgUABBRvSCB04/f8f13pp2PF
+vyl2WuMdEwQIMWFFphPkIUICAggA
+ EOF
+ p12 = OpenSSL::PKCS12.new(str, "abc123")
+
+ assert_equal TEST_KEY_RSA1024.to_der, p12.key.to_der
+ assert_equal @mycert.subject.to_der, p12.certificate.subject.to_der
+ assert_equal [], Array(p12.ca_certs)
+ end
+
+ def test_new_with_no_keys
+ # generated with:
+ # openssl pkcs12 -in <@mycert> -nokeys -export -out <out>
+ str = <<~EOF.unpack("m").first
+MIIDHAIBAzCCAuIGCSqGSIb3DQEHAaCCAtMEggLPMIICyzCCAscGCSqGSIb3DQEH
+BqCCArgwggK0AgEAMIICrQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIX4+W
+irqwH40CAggAgIICgOaCyo+5+6IOVoGCCL80c50bkkzAwqdXxvkKExJSdcJz2uMU
+0gRrKnZEjL5wrUsN8RwZu8DvgQTEhNEkKsUgM7AWainmN/EnwohIdHZAHpm6WD67
+I9kLGp0/DHrqZrV9P2dLfhXLUSQE8PI0tqZPZ8UEABhizkViw4eISTkrOUN7pGbN
+Qtx/oqgitXDuX2polbxYYDwt9vfHZhykHoKgew26SeJyZfeMs/WZ6olEI4cQUAFr
+mvYGuC1AxEGTo9ERmU8Pm16j9Hr9PFk50WYe+rnk9oX3wJogQ7XUWS5kYf7XRycd
+NDkNiwV/ts94bbuaGZp1YA6I48FXpIc8b5fX7t9tY0umGaWy0bARe1L7o0Y89EPe
+lMg25rOM7j3uPtFG8whbSfdETSy57UxzzTcJ6UwexeaK6wb2jqEmj5AOoPLWeaX0
+LyOAszR3v7OPAcjIDYZGdrbb3MZ2f2vo2pdQfu9698BrWhXuM7Odh73RLhJVreNI
+aezNOAtPyBlvGiBQBGTzRIYHSLL5Y5aVj2vWLAa7hjm5qTL5C5mFdDIo6TkEMr6I
+OsexNQofEGs19kr8nARXDlcbEimk2VsPj4efQC2CEXZNzURsKca82pa62MJ8WosB
+DTFd8X06zZZ4nED50vLopZvyW4fyW60lELwOyThAdG8UchoAaz2baqP0K4de44yM
+Y5/yPFDu4+GoimipJfbiYviRwbzkBxYW8+958ILh0RtagLbvIGxbpaym9PqGjOzx
+ShNXjLK2aAFZsEizQ8kd09quJHU/ogq2cUXdqqhmOqPnUWrJVi/VCoRB3Pv1/lE4
+mrUgr2YZ11rYvBw6g5XvNvFcSc53OKyV7SLn0dwwMTAhMAkGBSsOAwIaBQAEFEWP
+1WRQykaoD4uJCpTx/wv0SLLBBAiDKI26LJK7xgICCAA=
+ EOF
+ p12 = OpenSSL::PKCS12.new(str, "abc123")
+
+ assert_equal nil, p12.key
+ assert_equal nil, p12.certificate
+ assert_equal 1, p12.ca_certs.size
+ assert_equal @mycert.subject.to_der, p12.ca_certs[0].subject.to_der
+ end
+
+ def test_new_with_no_certs
+ # generated with:
+ # openssl pkcs12 -inkey <RSA1024> -nocerts -export -out <out>
+ str = <<~EOF.unpack("m").first
+MIIDJwIBAzCCAu0GCSqGSIb3DQEHAaCCAt4EggLaMIIC1jCCAtIGCSqGSIb3DQEH
+AaCCAsMEggK/MIICuzCCArcGCyqGSIb3DQEMCgECoIICpjCCAqIwHAYKKoZIhvcN
+AQwBAzAOBAg6AaYnJs84SwICCAAEggKAQzZH+fWSpcQYD1J7PsGSune85A++fLCQ
+V7tacp2iv95GJkxwYmfTP176pJdgs00mceB9UJ/u9EX5nD0djdjjQjwo6sgKjY0q
+cpVhZw8CMxw7kBD2dhtui0zT8z5hy03LePxsjEKsGiSbeVeeGbSfw/I6AAYbv+Uh
+O/YPBGumeHj/D2WKnfsHJLQ9GAV3H6dv5VKYNxjciK7f/JEyZCuUQGIN64QFHDhJ
+7fzLqd/ul3FZzJZO6a+dwvcgux09SKVXDRSeFmRCEX4b486iWhJJVspCo9P2KNne
+ORrpybr3ZSwxyoICmjyo8gj0OSnEfdx9790Ej1takPqSA1wIdSdBLekbZqB0RBQg
+DEuPOsXNo3QFi8ji1vu0WBRJZZSNC2hr5NL6lNR+DKxG8yzDll2j4W4BBIp22mAE
+7QRX7kVxu17QJXQhOUac4Dd1qXmzebP8t6xkAxD9L7BWEN5OdiXWwSWGjVjMBneX
+nYObi/3UT/aVc5WHMHK2BhCI1bwH51E6yZh06d5m0TQpYGUTWDJdWGBSrp3A+8jN
+N2PMQkWBFrXP3smHoTEN4oZC4FWiPsIEyAkQsfKRhcV9lGKl2Xgq54ROTFLnwKoj
+Z3zJScnq9qmNzvVZSMmDLkjLyDq0pxRxGKBvgouKkWY7VFFIwwBIJM39iDJ5NbBY
+i1AQFTRsRSsZrNVPasCXrIq7bhMoJZb/YZOGBLNyJVqKUoYXhtwsajzSq54VlWft
+JxsPayEd4Vi6O9EU1ahnj6qFEZiKFzsicgK2J1Rb8cYagrp0XWjHW0SBn5GVUWCg
+GUokSFG/0JTdeYTo/sQuG4qNgJkOolRjpeI48Fciq5VUWLvVdKioXzAxMCEwCQYF
+Kw4DAhoFAAQUYAuwVtGD1TdgbFK4Yal2XBgwUR4ECEawsN3rNaa6AgIIAA==
+ EOF
+ p12 = OpenSSL::PKCS12.new(str, "abc123")
+
+ assert_equal TEST_KEY_RSA1024.to_der, p12.key.to_der
+ assert_equal nil, p12.certificate
+ assert_equal [], Array(p12.ca_certs)
+ end
+
def test_dup
p12 = OpenSSL::PKCS12.create("pass", "name", TEST_KEY_RSA1024, @mycert)
assert_equal p12.to_der, p12.dup.to_der
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index 1b9548a3e9f..0af93a8bc24 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -5,182 +5,96 @@ if defined?(OpenSSL::TestUtils)
class OpenSSL::TestSSL < OpenSSL::SSLTestCase
- def test_ctx_setup
+ def test_ctx_options
ctx = OpenSSL::SSL::SSLContext.new
- assert_equal(ctx.setup, true)
- assert_equal(ctx.setup, nil)
- end
-
- def test_ctx_setup_invalid
- m = OpenSSL::SSL::SSLContext::METHODS.first
- assert_raise_with_message(ArgumentError, /null/) {
- OpenSSL::SSL::SSLContext.new("#{m}\0")
- }
- assert_raise_with_message(ArgumentError, /\u{ff33 ff33 ff2c}/) {
- OpenSSL::SSL::SSLContext.new("\u{ff33 ff33 ff2c}")
- }
- end
- def test_options_defaults_to_OP_ALL_on
- ctx = OpenSSL::SSL::SSLContext.new
- assert_equal(OpenSSL::SSL::OP_ALL, (OpenSSL::SSL::OP_ALL & ctx.options))
- end
-
- def test_setting_twice
- ctx = OpenSSL::SSL::SSLContext.new
+ assert (OpenSSL::SSL::OP_ALL & ctx.options) == OpenSSL::SSL::OP_ALL,
+ "OP_ALL is set by default"
ctx.options = 4
- assert_equal 4, (ctx.options & OpenSSL::SSL::OP_ALL)
- ctx.options = OpenSSL::SSL::OP_ALL
- assert_equal OpenSSL::SSL::OP_ALL, (ctx.options & OpenSSL::SSL::OP_ALL)
- end
-
- def test_options_setting_nil_means_all
- ctx = OpenSSL::SSL::SSLContext.new
+ assert_equal 4, ctx.options
ctx.options = nil
- assert_equal(OpenSSL::SSL::OP_ALL, (OpenSSL::SSL::OP_ALL & ctx.options))
- end
-
- def test_setting_options_raises_after_setup
- ctx = OpenSSL::SSL::SSLContext.new
- options = ctx.options
- ctx.setup
- assert_raise(RuntimeError) do
- ctx.options = options
- end
- end
-
- def test_ctx_setup_no_compression
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_COMPRESSION
- assert_equal(ctx.setup, true)
- assert_equal(ctx.setup, nil)
- assert_equal(OpenSSL::SSL::OP_NO_COMPRESSION,
- ctx.options & OpenSSL::SSL::OP_NO_COMPRESSION)
- end if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
-
- def test_ctx_setup_with_extra_chain_cert
- ctx = OpenSSL::SSL::SSLContext.new
- ctx.extra_chain_cert = [@ca_cert, @cli_cert]
- assert_equal(ctx.setup, true)
- assert_equal(ctx.setup, nil)
- end
+ assert_equal OpenSSL::SSL::OP_ALL, ctx.options
- def test_not_started_session
- pend "non socket argument of SSLSocket.new is not supported on this platform" if /mswin|mingw/ =~ RUBY_PLATFORM
- open(__FILE__) do |f|
- assert_nil EnvUtil.suppress_warning { OpenSSL::SSL::SSLSocket.new(f).cert }
- end
+ assert_equal true, ctx.setup
+ assert_predicate ctx, :frozen?
+ assert_equal nil, ctx.setup
end
- def test_ssl_gets
- start_server(OpenSSL::SSL::VERIFY_NONE, true) { |server, port|
- server_connect(port) { |ssl|
- ssl.write "abc\n"
- IO.select [ssl]
-
- line = ssl.gets
+ def test_ssl_with_server_cert
+ ctx_proc = -> ctx {
+ ctx.cert = @svr_cert
+ ctx.key = @svr_key
+ ctx.extra_chain_cert = [@ca_cert]
+ }
+ server_proc = -> (ctx, ssl) {
+ assert_equal @svr_cert.to_der, ssl.cert.to_der
+ assert_equal nil, ssl.peer_cert
- assert_equal "abc\n", line
- assert_equal Encoding::BINARY, line.encoding
- }
+ readwrite_loop(ctx, ssl)
}
- end
+ start_server(ctx_proc: ctx_proc, server_proc: server_proc) { |server, port|
+ begin
+ sock = TCPSocket.new("127.0.0.1", port)
+ ctx = OpenSSL::SSL::SSLContext.new
+ ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+ ssl.connect
- def test_ssl_read_nonblock
- start_server(OpenSSL::SSL::VERIFY_NONE, true) { |server, port|
- server_connect(port) { |ssl|
- assert_raise(IO::WaitReadable) { ssl.read_nonblock(100) }
- ssl.write("abc\n")
- IO.select [ssl]
- assert_equal('a', ssl.read_nonblock(1))
- assert_equal("bc\n", ssl.read_nonblock(100))
- assert_raise(IO::WaitReadable) { ssl.read_nonblock(100) }
- }
+ assert_equal sock, ssl.io
+ assert_equal nil, ssl.cert
+ assert_equal @svr_cert.to_der, ssl.peer_cert.to_der
+ assert_equal 2, ssl.peer_cert_chain.size
+ assert_equal @svr_cert.to_der, ssl.peer_cert_chain[0].to_der
+ assert_equal @ca_cert.to_der, ssl.peer_cert_chain[1].to_der
+ ensure
+ ssl&.close
+ sock&.close
+ end
}
end
- def test_ssl_sysread_blocking_error
- start_server(OpenSSL::SSL::VERIFY_NONE, true) { |server, port|
+ def test_sysread_and_syswrite
+ start_server { |server, port|
server_connect(port) { |ssl|
- ssl.write("abc\n")
- assert_raise(TypeError) { ssl.sysread(4, exception: false) }
- buf = ''
- assert_raise(ArgumentError) { ssl.sysread(4, buf, exception: false) }
- assert_equal '', buf
- assert_equal buf.object_id, ssl.sysread(4, buf).object_id
- assert_equal "abc\n", buf
+ str = "x" * 100 + "\n"
+ ssl.syswrite(str)
+ newstr = ssl.sysread(str.bytesize)
+ assert_equal(str, newstr)
+
+ buf = ""
+ ssl.syswrite(str)
+ assert_same buf, ssl.sysread(str.size, buf)
+ assert_equal(str, newstr)
}
}
end
- def test_connect_and_close
- start_server(OpenSSL::SSL::VERIFY_NONE, true){|server, port|
- sock = TCPSocket.new("127.0.0.1", port)
- ssl = OpenSSL::SSL::SSLSocket.new(sock)
- assert(ssl.connect)
- ssl.close
- assert(!sock.closed?)
- sock.close
-
- sock = TCPSocket.new("127.0.0.1", port)
- ssl = OpenSSL::SSL::SSLSocket.new(sock)
- ssl.sync_close = true # !!
- assert(ssl.connect)
- ssl.close
- assert(sock.closed?)
- }
- end
-
- def test_read_and_write
- start_server(OpenSSL::SSL::VERIFY_NONE, true){|server, port|
- server_connect(port) { |ssl|
- # syswrite and sysread
- ITERATIONS.times{|i|
- str = "x" * 100 + "\n"
- ssl.syswrite(str)
- newstr = ''
- newstr << ssl.sysread(str.size - newstr.size) until newstr.size == str.size
- assert_equal(str, newstr)
-
- str = "x" * i * 100 + "\n"
- buf = ""
- ssl.syswrite(str)
- assert_equal(buf.object_id, ssl.sysread(str.size, buf).object_id)
- newstr = buf
- newstr << ssl.sysread(str.size - newstr.size) until newstr.size == str.size
- assert_equal(str, newstr)
- }
-
- # puts and gets
- ITERATIONS.times{
- str = "x" * 100 + "\n"
- ssl.puts(str)
- assert_equal(str, ssl.gets)
-
- str = "x" * 100
- ssl.puts(str)
- assert_equal(str, ssl.gets("\n", 100))
- assert_equal("\n", ssl.gets)
- }
+ def test_sync_close
+ start_server { |server, port|
+ begin
+ sock = TCPSocket.new("127.0.0.1", port)
+ ssl = OpenSSL::SSL::SSLSocket.new(sock)
+ ssl.connect
+ ssl.close
+ assert_not_predicate sock, :closed?
+ ensure
+ sock&.close
+ end
- # read and write
- ITERATIONS.times{|i|
- str = "x" * 100 + "\n"
- ssl.write(str)
- assert_equal(str, ssl.read(str.size))
-
- str = "x" * i * 100 + "\n"
- buf = ""
- ssl.write(str)
- assert_equal(buf.object_id, ssl.read(str.size, buf).object_id)
- assert_equal(str, buf)
- }
- }
+ begin
+ sock = TCPSocket.new("127.0.0.1", port)
+ ssl = OpenSSL::SSL::SSLSocket.new(sock)
+ ssl.sync_close = true # !!
+ ssl.connect
+ ssl.close
+ assert_predicate sock, :closed?
+ ensure
+ sock&.close
+ end
}
end
def test_copy_stream
- start_server(OpenSSL::SSL::VERIFY_NONE, true) do |server, port|
+ start_server do |server, port|
server_connect(port) do |ssl|
IO.pipe do |r, w|
str = "hello world\n"
@@ -195,7 +109,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
def test_client_auth_failure
vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
- start_server(vflag, true, :ignore_listener_error => true){|server, port|
+ start_server(verify_mode: vflag, ignore_listener_error: true) { |server, port|
sock = TCPSocket.new("127.0.0.1", port)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
ssl.sync_close = true
@@ -209,7 +123,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
def test_client_auth_success
vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
- start_server(vflag, true){|server, port|
+ start_server(verify_mode: vflag) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.key = @cli_key
ctx.cert = @cli_cert
@@ -236,7 +150,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
def test_client_auth_public_key
vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
- start_server(vflag, true, ignore_listener_error: true) do |server, port|
+ start_server(verify_mode: vflag, ignore_listener_error: true) do |server, port|
assert_raise(ArgumentError) {
ctx = OpenSSL::SSL::SSLContext.new
ctx.key = @cli_key.public_key
@@ -258,7 +172,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
- start_server(vflag, true, :ctx_proc => ctx_proc){|server, port|
+ start_server(verify_mode: vflag, ctx_proc: ctx_proc) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
client_ca_from_server = nil
ctx.client_cert_cb = Proc.new do |sslconn|
@@ -271,7 +185,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
def test_read_nonblock_without_session
OpenSSL::TestUtils.silent do
- start_server(OpenSSL::SSL::VERIFY_NONE, false){|server, port|
+ start_server(start_immediately: false) { |server, port|
sock = TCPSocket.new("127.0.0.1", port)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
ssl.sync_close = true
@@ -288,32 +202,50 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_starttls
- OpenSSL::TestUtils.silent do
- start_server(OpenSSL::SSL::VERIFY_NONE, false){|server, port|
- sock = TCPSocket.new("127.0.0.1", port)
- ssl = OpenSSL::SSL::SSLSocket.new(sock)
- ssl.sync_close = true
- str = "x" * 1000 + "\n"
+ server_proc = -> (ctx, ssl) {
+ begin
+ while line = ssl.gets
+ if line =~ /^STARTTLS$/
+ ssl.write("x")
+ ssl.flush
+ ssl.accept
+ next
+ end
+ ssl.write(line)
+ end
+ rescue OpenSSL::SSL::SSLError
+ rescue IOError
+ ensure
+ ssl.close rescue nil
+ end
+ }
- ITERATIONS.times{
- ssl.puts(str)
- assert_equal(str, ssl.gets)
- }
- starttls(ssl)
+ EnvUtil.suppress_warning do # read/write on not started session
+ start_server(start_immediately: false,
+ server_proc: server_proc) { |server, port|
+ begin
+ sock = TCPSocket.new("127.0.0.1", port)
+ ssl = OpenSSL::SSL::SSLSocket.new(sock)
- ITERATIONS.times{
- ssl.puts(str)
- assert_equal(str, ssl.gets)
- }
+ ssl.puts "plaintext"
+ assert_equal "plaintext\n", ssl.gets
- ssl.close
+ ssl.puts("STARTTLS")
+ ssl.read(1)
+ ssl.connect
+
+ ssl.puts "over-tls"
+ assert_equal "over-tls\n", ssl.gets
+ ensure
+ ssl&.close
+ sock&.close
+ end
}
end
end
def test_parallel
- GC.start
- start_server(OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+ start_server { |server, port|
ssls = []
10.times{
sock = TCPSocket.new("127.0.0.1", port)
@@ -334,7 +266,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_verify_result
- start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port|
+ start_server(ignore_listener_error: true) { |server, port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
@@ -348,7 +280,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
}
- start_server(OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+ start_server { |server, port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
@@ -366,7 +298,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
}
- start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port|
+ start_server(ignore_listener_error: true) { |server, port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
@@ -386,7 +318,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
def test_exception_in_verify_callback_is_ignored
- start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port|
+ start_server(ignore_listener_error: true) { |server, port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
@@ -411,34 +343,40 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
def test_sslctx_set_params
ctx = OpenSSL::SSL::SSLContext.new
ctx.set_params
- assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode)
- ciphers = ctx.ciphers
- ciphers_versions = ciphers.collect{|_, v, _, _| v }
- ciphers_names = ciphers.collect{|v, _, _, _| v }
- assert(ciphers_names.all?{|v| /A(EC)?DH/ !~ v })
- assert(ciphers_names.all?{|v| /(RC4|MD5|EXP)/ !~ v })
- assert(ciphers_versions.all?{|v| /SSLv2/ !~ v })
+
+ assert_equal OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode
+ ciphers_names = ctx.ciphers.collect{|v, _, _, _| v }
+ assert ciphers_names.all?{|v| /A(EC)?DH/ !~ v }, "anon ciphers are disabled"
+ assert ciphers_names.all?{|v| /(RC4|MD5|EXP|DES)/ !~ v }, "weak ciphers are disabled"
+ assert_equal 0, ctx.options & OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
+ if defined?(OpenSSL::SSL::OP_NO_COMPRESSION) # >= 1.0.0
+ assert_equal OpenSSL::SSL::OP_NO_COMPRESSION,
+ ctx.options & OpenSSL::SSL::OP_NO_COMPRESSION
+ end
end
def test_post_connect_check_with_anon_ciphers
- sslerr = OpenSSL::SSL::SSLError
+ ctx_proc = -> ctx {
+ ctx.ciphers = "aNULL"
+ ctx.security_level = 0
+ }
- start_server(OpenSSL::SSL::VERIFY_NONE, true, {use_anon_cipher: true}){|server, port|
+ start_server(ctx_proc: ctx_proc) { |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.ciphers = "aNULL"
ctx.security_level = 0
server_connect(port, ctx) { |ssl|
- assert_raise_with_message(sslerr, /anonymous cipher suite/i){
+ assert_raise_with_message(OpenSSL::SSL::SSLError, /anonymous cipher suite/i) {
ssl.post_connection_check("localhost.localdomain")
}
}
}
- end if OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384
+ end
def test_post_connection_check
sslerr = OpenSSL::SSL::SSLError
- start_server(OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+ start_server { |server, port|
server_connect(port) { |ssl|
assert_raise(sslerr){ssl.post_connection_check("localhost.localdomain")}
assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")}
@@ -461,7 +399,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
]
@svr_cert = issue_cert(@svr, @svr_key, 4, now, now+1800, exts,
@ca_cert, @ca_key, OpenSSL::Digest::SHA1.new)
- start_server(OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+ start_server { |server, port|
server_connect(port) { |ssl|
assert(ssl.post_connection_check("localhost.localdomain"))
assert(ssl.post_connection_check("127.0.0.1"))
@@ -483,7 +421,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
]
@svr_cert = issue_cert(@svr, @svr_key, 5, now, now+1800, exts,
@ca_cert, @ca_key, OpenSSL::Digest::SHA1.new)
- start_server(OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+ start_server { |server, port|
server_connect(port) { |ssl|
assert(ssl.post_connection_check("localhost.localdomain"))
assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")}
@@ -685,39 +623,52 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end
end
- def test_servername_cb_sets_context_on_the_socket
- hostname = 'example.org'
-
+ def test_tlsext_hostname
ctx3 = OpenSSL::SSL::SSLContext.new
- ctx3.ciphers = "aNULL"
+ ctx3.ciphers = "ADH"
ctx3.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
ctx3.security_level = 0
+ assert_not_predicate ctx3, :frozen?
- ctx2 = OpenSSL::SSL::SSLContext.new
- ctx2.servername_cb = lambda { |args| ctx3 }
-
- sock1, sock2 = socketpair
-
- s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
-
- ctx1 = OpenSSL::SSL::SSLContext.new
- ctx1.ciphers = "aNULL"
- ctx1.security_level = 0
+ ctx_proc = -> ctx {
+ ctx.ciphers = "ALL:!aNULL"
+ ctx.servername_cb = proc { |ssl, servername|
+ case servername
+ when "foo.example.com"
+ ctx3
+ when "bar.example.com"
+ nil
+ else
+ raise "unknown hostname"
+ end
+ }
+ }
+ start_server(ctx_proc: ctx_proc) do |server, port|
+ ctx = OpenSSL::SSL::SSLContext.new
+ ctx.ciphers = "ALL"
+ ctx.security_level = 0
- s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
- s1.hostname = hostname
- t = Thread.new { s1.connect }
+ sock = TCPSocket.new("127.0.0.1", port)
+ begin
+ ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+ ssl.hostname = "foo.example.com"
+ ssl.connect
+ assert_match /^ADH-/, ssl.cipher[0], "the context returned by servername_cb is used"
+ assert_predicate ctx3, :frozen?
+ ensure
+ sock.close
+ end
- assert_equal ctx2, s2.context
- accepted = s2.accept
- assert_equal ctx3, s2.context
- assert t.value
- ensure
- s1.close if s1
- s2.close if s2
- sock1.close if sock1
- sock2.close if sock2
- accepted.close if accepted.respond_to?(:close)
+ sock = TCPSocket.new("127.0.0.1", port)
+ begin
+ ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+ ssl.hostname = "bar.example.com"
+ ssl.connect
+ assert_not_match /^A(EC)?DH-/, ssl.cipher[0], "the original context is used"
+ ensure
+ sock.close
+ end
+ end
end
def test_servername_cb_raises_an_exception_on_unknown_objects
@@ -755,148 +706,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
sock2.close if sock2
end
- def test_servername_cb_calls_setup_on_returned_ctx
- hostname = 'example.org'
-
- ctx3 = OpenSSL::SSL::SSLContext.new
- ctx3.ciphers = "aNULL"
- ctx3.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
- ctx3.security_level = 0
- assert_not_predicate ctx3, :frozen?
-
- ctx2 = OpenSSL::SSL::SSLContext.new
- ctx2.servername_cb = lambda { |args| ctx3 }
-
- sock1, sock2 = socketpair
-
- s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
-
- ctx1 = OpenSSL::SSL::SSLContext.new
- ctx1.ciphers = "aNULL"
- ctx1.security_level = 0
-
- s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
- s1.hostname = hostname
- t = Thread.new { s1.connect }
-
- accepted = s2.accept
- assert t.value
- assert_predicate ctx3, :frozen?
- ensure
- s1.close if s1
- s2.close if s2
- sock1.close if sock1
- sock2.close if sock2
- accepted.close if accepted.respond_to?(:close)
- end
-
- def test_servername_cb_can_return_nil
- hostname = 'example.org'
-
- ctx2 = OpenSSL::SSL::SSLContext.new
- ctx2.ciphers = "aNULL"
- ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
- ctx2.security_level = 0
- ctx2.servername_cb = lambda { |args| nil }
-
- sock1, sock2 = socketpair
-
- s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
-
- ctx1 = OpenSSL::SSL::SSLContext.new
- ctx1.ciphers = "aNULL"
- ctx1.security_level = 0
-
- s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
- s1.hostname = hostname
- t = Thread.new { s1.connect }
-
- accepted = s2.accept
- assert t.value
- ensure
- s1.close if s1
- s2.close if s2
- sock1.close if sock1
- sock2.close if sock2
- accepted.close if accepted.respond_to?(:close)
- end
-
- def test_servername_cb
- lambda_called = nil
- cb_socket = nil
- hostname = 'example.org'
-
- ctx2 = OpenSSL::SSL::SSLContext.new
- ctx2.ciphers = "aNULL"
- ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
- ctx2.security_level = 0
- ctx2.servername_cb = lambda do |args|
- cb_socket = args[0]
- lambda_called = args[1]
- ctx2
- end
-
- sock1, sock2 = socketpair
-
- s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
-
- ctx1 = OpenSSL::SSL::SSLContext.new
- ctx1.ciphers = "aNULL"
- ctx1.security_level = 0
-
- s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
- s1.hostname = hostname
- t = Thread.new { s1.connect }
-
- accepted = s2.accept
- assert t.value
- assert_equal hostname, lambda_called
- assert_equal s2, cb_socket
- ensure
- s1.close if s1
- s2.close if s2
- sock1.close if sock1
- sock2.close if sock2
- accepted.close if accepted.respond_to?(:close)
- end
-
- def test_tlsext_hostname
- return unless OpenSSL::SSL::SSLSocket.instance_methods.include?(:hostname)
-
- ctx_proc = Proc.new do |ctx, ssl|
- foo_ctx = OpenSSL::SSL::SSLContext.new
-
- ctx.servername_cb = Proc.new do |ssl2, hostname|
- case hostname
- when 'foo.example.com'
- foo_ctx
- when 'bar.example.com'
- nil
- else
- raise "unknown hostname #{hostname.inspect}"
- end
- end
- end
-
- server_proc = Proc.new do |ctx, ssl|
- readwrite_loop(ctx, ssl)
- end
-
- start_server(OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc, :server_proc => server_proc) do |server, port|
- 2.times do |i|
- ctx = OpenSSL::SSL::SSLContext.new
- # disable RFC4507 support
- ctx.options = OpenSSL::SSL::OP_NO_TICKET
- server_connect(port, ctx) { |ssl|
- ssl.hostname = (i & 1 == 0) ? 'foo.example.com' : 'bar.example.com'
- str = "x" * 100 + "\n"
- ssl.puts(str)
- assert_equal(str, ssl.gets)
- }
- end
- end
- end
-
def test_verify_hostname_on_connect
ctx_proc = proc { |ctx|
now = Time.now
@@ -910,8 +719,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ctx.key = @svr_key
}
- start_server(OpenSSL::SSL::VERIFY_NONE, true, ctx_proc: ctx_proc,
- ignore_listener_error: true) do |svr, port|
+ start_server(ctx_proc: ctx_proc, ignore_listener_error: true) do |server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_hostname = true
ctx.cert_store = OpenSSL::X509::Store.new
@@ -960,7 +768,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
assert_equal(num_written, raw_size)
ssl.close
}
- start_server(OpenSSL::SSL::VERIFY_NONE, true, :server_proc => server_proc){|server, port|
+ start_server(server_proc: server_proc) { |server, port|
server_connect(port) { |ssl|
str = auml * i
num_written = ssl.write(str)
@@ -976,7 +784,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
# But it also degrades gracefully, so keep it
ctx.options = OpenSSL::SSL::OP_ALL
}
- start_server(OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc){|server, port|
+ start_server(ctx_proc: ctx_proc) { |server, port|
server_connect(port) { |ssl|
ssl.puts('hello')
assert_equal("hello\n", ssl.gets)
@@ -1123,9 +931,10 @@ if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000
ssl2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
t = Thread.new {
- assert_handshake_error { ssl2.connect }
+ ssl2.connect_nonblock(exception: false)
}
- assert_raise(TypeError) { ssl1.accept }
+ assert_raise_with_message(TypeError, /nil/) { ssl1.accept }
+ t.join
ensure
sock1&.close
sock2&.close
@@ -1207,7 +1016,7 @@ end
def test_invalid_shutdown_by_gc
assert_nothing_raised {
- start_server(OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+ start_server { |server, port|
10.times {
sock = TCPSocket.new("127.0.0.1", port)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
@@ -1220,7 +1029,7 @@ end
end
def test_close_after_socket_close
- start_server(OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+ start_server { |server, port|
sock = TCPSocket.new("127.0.0.1", port)
ssl = OpenSSL::SSL::SSLSocket.new(sock)
ssl.sync_close = true
@@ -1274,7 +1083,7 @@ end
'AES128-SHA' => nil
}
conf_proc = Proc.new { |ctx| ctx.ciphers = 'ALL' }
- start_server(OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => conf_proc) do |server, port|
+ start_server(ctx_proc: conf_proc) do |server, port|
ciphers.each do |cipher, ephemeral|
ctx = OpenSSL::SSL::SSLContext.new
begin
@@ -1294,6 +1103,123 @@ end
end
end
+ def test_dh_callback
+ called = false
+ ctx_proc = -> ctx {
+ ctx.ciphers = "DH:!NULL"
+ ctx.tmp_dh_callback = ->(*args) {
+ called = true
+ OpenSSL::TestUtils::TEST_KEY_DH1024
+ }
+ }
+ start_server(ctx_proc: ctx_proc) do |server, port|
+ server_connect(port) { |ssl|
+ assert called, "dh callback should be called"
+ if ssl.respond_to?(:tmp_key)
+ assert_equal OpenSSL::TestUtils::TEST_KEY_DH1024.to_der, ssl.tmp_key.to_der
+ end
+ }
+ end
+ end
+
+ def test_connect_works_when_setting_dh_callback_to_nil
+ ctx_proc = -> ctx {
+ ctx.ciphers = "DH:!NULL" # use DH
+ ctx.tmp_dh_callback = nil
+ }
+ start_server(ctx_proc: ctx_proc) do |server, port|
+ EnvUtil.suppress_warning { # uses default callback
+ assert_nothing_raised {
+ server_connect(port) { }
+ }
+ }
+ end
+ end
+
+ def test_ecdh_callback
+ return unless OpenSSL::SSL::SSLContext.instance_methods.include?(:tmp_ecdh_callback)
+ EnvUtil.suppress_warning do # tmp_ecdh_callback is deprecated (2016-05)
+ begin
+ called = false
+ ctx2 = OpenSSL::SSL::SSLContext.new
+ ctx2.ciphers = "ECDH"
+ # OpenSSL 1.1.0 doesn't have tmp_ecdh_callback so this shouldn't be required
+ ctx2.security_level = 0
+ ctx2.tmp_ecdh_callback = ->(*args) {
+ called = true
+ OpenSSL::PKey::EC.new "prime256v1"
+ }
+
+ sock1, sock2 = socketpair
+
+ s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
+ ctx1 = OpenSSL::SSL::SSLContext.new
+ ctx1.ciphers = "ECDH"
+ ctx1.security_level = 0
+
+ s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
+ th = Thread.new do
+ s1.connect
+ end
+
+ s2.accept
+ assert called, 'ecdh callback should be called'
+ rescue OpenSSL::SSL::SSLError => e
+ if e.message =~ /no cipher match/
+ pend "ECDH cipher not supported."
+ else
+ raise e
+ end
+ ensure
+ th.join if th
+ s1.close if s1
+ s2.close if s2
+ sock1.close if sock1
+ sock2.close if sock2
+ end
+ end
+ end
+
+ def test_ecdh_curves
+ ctx_proc = -> ctx {
+ begin
+ ctx.ciphers = "ECDH:!NULL"
+ rescue OpenSSL::SSL::SSLError
+ pend "ECDH is not enabled in this OpenSSL" if $!.message =~ /no cipher match/
+ raise
+ end
+ ctx.ecdh_curves = "P-384:P-521"
+ }
+ start_server(ctx_proc: ctx_proc, ignore_listener_error: true) do |server, port|
+ ctx = OpenSSL::SSL::SSLContext.new
+ ctx.ecdh_curves = "P-256:P-384" # disable P-521 for OpenSSL >= 1.0.2
+
+ server_connect(port, ctx) { |ssl|
+ assert ssl.cipher[0].start_with?("ECDH"), "ECDH should be used"
+ if ssl.respond_to?(:tmp_key)
+ assert_equal "secp384r1", ssl.tmp_key.group.curve_name
+ end
+ }
+
+ if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000 &&
+ !OpenSSL::OPENSSL_VERSION.include?("LibreSSL")
+ ctx = OpenSSL::SSL::SSLContext.new
+ ctx.ecdh_curves = "P-256"
+
+ assert_raise(OpenSSL::SSL::SSLError) {
+ server_connect(port, ctx) { }
+ }
+
+ ctx = OpenSSL::SSL::SSLContext.new
+ ctx.ecdh_curves = "P-521:P-384"
+
+ server_connect(port, ctx) { |ssl|
+ assert_equal "secp521r1", ssl.tmp_key.group.curve_name
+ }
+ end
+ end
+ end
+
def test_security_level
ctx = OpenSSL::SSL::SSLContext.new
begin
@@ -1325,17 +1251,16 @@ end
private
- def start_server_version(version, ctx_proc=nil, server_proc=nil, &blk)
+ def start_server_version(version, ctx_proc = nil,
+ server_proc = method(:readwrite_loop), &blk)
ctx_wrap = Proc.new { |ctx|
ctx.ssl_version = version
ctx_proc.call(ctx) if ctx_proc
}
start_server(
- OpenSSL::SSL::VERIFY_NONE,
- true,
- :ctx_proc => ctx_wrap,
- :server_proc => server_proc,
- :ignore_listener_error => true,
+ ctx_proc: ctx_wrap,
+ server_proc: server_proc,
+ ignore_listener_error: true,
&blk
)
end
diff --git a/test/openssl/test_ssl_session.rb b/test/openssl/test_ssl_session.rb
index 9bcec101657..b2643edd8c5 100644
--- a/test/openssl/test_ssl_session.rb
+++ b/test/openssl/test_ssl_session.rb
@@ -27,7 +27,7 @@ tddwpBAEDjcwMzA5NTYzMTU1MzAwpQMCARM=
-----END SSL SESSION PARAMETERS-----
SESSION
- start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true) { |_, port|
+ start_server(ignore_listener_error: true) { |_, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_CLIENT
ctx.session_id_context = self.object_id.to_s
@@ -46,7 +46,7 @@ tddwpBAEDjcwMzA5NTYzMTU1MzAwpQMCARM=
def test_session
Timeout.timeout(5) do
- start_server(OpenSSL::SSL::VERIFY_NONE, true) do |server, port|
+ start_server do |server, port|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new("TLSv1")
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
@@ -154,7 +154,7 @@ __EOS__
def test_client_session
last_session = nil
- start_server(OpenSSL::SSL::VERIFY_NONE, true) do |server, port|
+ start_server do |server, port|
2.times do
sock = TCPSocket.new("127.0.0.1", port)
# Debian's openssl 0.9.8g-13 failed at assert(ssl.session_reused?),
@@ -237,7 +237,7 @@ __EOS__
end
first_session = nil
- start_server(OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc, :server_proc => server_proc) do |server, port|
+ start_server(ctx_proc: ctx_proc, server_proc: server_proc) do |server, port|
10.times do |i|
sock = TCPSocket.new("127.0.0.1", port)
ctx = OpenSSL::SSL::SSLContext.new
@@ -285,7 +285,7 @@ __EOS__
# any resulting value is OK (ignored)
}
- start_server(OpenSSL::SSL::VERIFY_NONE, true) do |server, port|
+ start_server do |server, port|
sock = TCPSocket.new("127.0.0.1", port)
begin
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
@@ -344,7 +344,7 @@ __EOS__
c.session_cache_stats
readwrite_loop(c, ssl)
}
- start_server(OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc, :server_proc => server_proc) do |server, port|
+ start_server(ctx_proc: ctx_proc, server_proc: server_proc) do |server, port|
last_client_session = nil
3.times do
sock = TCPSocket.new("127.0.0.1", port)
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
index 2288a260356..6f3a3c6d1c4 100644
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@@ -241,10 +241,6 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
def readwrite_loop(ctx, ssl)
while line = ssl.gets
- if line =~ /^STARTTLS$/
- ssl.accept
- next
- end
ssl.write(line)
end
rescue OpenSSL::SSL::SSLError
@@ -281,22 +277,15 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
end
end
- def start_server(verify_mode, start_immediately, args = {}, &block)
+ def start_server(verify_mode: OpenSSL::SSL::VERIFY_NONE, start_immediately: true,
+ ctx_proc: nil, server_proc: method(:readwrite_loop),
+ ignore_listener_error: false, &block)
IO.pipe {|stop_pipe_r, stop_pipe_w|
- ctx_proc = args[:ctx_proc]
- server_proc = args[:server_proc]
- ignore_listener_error = args.fetch(:ignore_listener_error, false)
- use_anon_cipher = args.fetch(:use_anon_cipher, false)
- server_proc ||= method(:readwrite_loop)
-
store = OpenSSL::X509::Store.new
store.add_cert(@ca_cert)
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
ctx = OpenSSL::SSL::SSLContext.new
- ctx.ciphers = "ADH-AES256-GCM-SHA384" if use_anon_cipher
- ctx.security_level = 0 if use_anon_cipher
ctx.cert_store = store
- #ctx.extra_chain_cert = [ ca_cert ]
ctx.cert = @svr_cert
ctx.key = @svr_key
ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
@@ -341,13 +330,6 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
end
}
end
-
- def starttls(ssl)
- ssl.puts("STARTTLS")
- sleep 1 # When this line is eliminated, process on Cygwin blocks
- # forever at ssl.connect. But I don't know why it does.
- ssl.connect
- end
end
class OpenSSL::PKeyTestCase < OpenSSL::TestCase