diff options
Diffstat (limited to 'test/openssl/utils.rb')
-rw-r--r-- | test/openssl/utils.rb | 103 |
1 files changed, 32 insertions, 71 deletions
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb index ab5fab4ba3..f6c84eef67 100644 --- a/test/openssl/utils.rb +++ b/test/openssl/utils.rb @@ -1,38 +1,13 @@ # frozen_string_literal: true begin require "openssl" - - # Disable FIPS mode for tests for installations - # where FIPS mode would be enabled by default. - # Has no effect on all other installations. - OpenSSL.fips_mode=false rescue LoadError end -# Compile OpenSSL with crypto-mdebug and run this test suite with OSSL_MDEBUG=1 -# environment variable to enable memory leak check. -if ENV["OSSL_MDEBUG"] == "1" - if OpenSSL.respond_to?(:print_mem_leaks) - OpenSSL.mem_check_start - - END { - GC.start - case OpenSSL.print_mem_leaks - when nil - warn "mdebug: check what is printed" - when true - raise "mdebug: memory leaks detected" - end - } - else - warn "OSSL_MDEBUG=1 is specified but OpenSSL is not built with crypto-mdebug" - end -end - require "test/unit" +require "core_assertions" require "tempfile" require "socket" -require "envutil" if defined?(OpenSSL) @@ -131,11 +106,12 @@ module OpenSSL::TestUtils end end - def openssl?(major = nil, minor = nil, fix = nil, patch = 0) + def openssl?(major = nil, minor = nil, fix = nil, patch = 0, status = 0) return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL") return true unless major OpenSSL::OPENSSL_VERSION_NUMBER >= - major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10 + major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10 + + status * 0x1 end def libressl?(major = nil, minor = nil, fix = nil) @@ -148,6 +124,7 @@ end class OpenSSL::TestCase < Test::Unit::TestCase include OpenSSL::TestUtils extend OpenSSL::TestUtils + include Test::Unit::CoreAssertions def setup if ENV["OSSL_GC_STRESS"] == "1" @@ -162,6 +139,30 @@ class OpenSSL::TestCase < Test::Unit::TestCase # OpenSSL error stack must be empty assert_equal([], OpenSSL.errors) end + + # Omit the tests in FIPS. + # + # For example, the password based encryption used in the PEM format uses MD5 + # for deriving the encryption key from the password, and MD5 is not + # FIPS-approved. + # + # See https://github.com/openssl/openssl/discussions/21830#discussioncomment-6865636 + # for details. + def omit_on_fips + return unless OpenSSL.fips_mode + + omit <<~MESSAGE + Only for OpenSSL non-FIPS with the following possible reasons: + * A testing logic is non-FIPS specific. + * An encryption used in the test is not FIPS-approved. + MESSAGE + end + + def omit_on_non_fips + return if OpenSSL.fips_mode + + omit "Only for OpenSSL FIPS" + end end class OpenSSL::SSLTestCase < OpenSSL::TestCase @@ -189,13 +190,6 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase @server = nil end - def tls12_supported? - ctx = OpenSSL::SSL::SSLContext.new - ctx.min_version = ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION - true - rescue - end - def tls13_supported? return false unless defined?(OpenSSL::SSL::TLS1_3_VERSION) ctx = OpenSSL::SSL::SSLContext.new @@ -222,7 +216,6 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase ctx.cert_store = store ctx.cert = @svr_cert ctx.key = @svr_key - ctx.tmp_dh_callback = proc { Fixtures.pkey("dh-1") } ctx.verify_mode = verify_mode ctx_proc.call(ctx) if ctx_proc @@ -236,9 +229,7 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase threads = [] begin server_thread = Thread.new do - if Thread.method_defined?(:report_on_exception=) # Ruby >= 2.4 - Thread.current.report_on_exception = false - end + Thread.current.report_on_exception = false begin loop do @@ -254,9 +245,7 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase end th = Thread.new do - if Thread.method_defined?(:report_on_exception=) - Thread.current.report_on_exception = false - end + Thread.current.report_on_exception = false begin server_proc.call(ctx, ssl) @@ -273,9 +262,7 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase end client_thread = Thread.new do - if Thread.method_defined?(:report_on_exception=) - Thread.current.report_on_exception = false - end + Thread.current.report_on_exception = false begin block.call(port) @@ -312,32 +299,6 @@ class OpenSSL::PKeyTestCase < OpenSSL::TestCase assert_equal base.send(comp), test.send(comp) } end - - def dup_public(key) - case key - when OpenSSL::PKey::RSA - rsa = OpenSSL::PKey::RSA.new - rsa.set_key(key.n, key.e, nil) - rsa - when OpenSSL::PKey::DSA - dsa = OpenSSL::PKey::DSA.new - dsa.set_pqg(key.p, key.q, key.g) - dsa.set_key(key.pub_key, nil) - dsa - when OpenSSL::PKey::DH - dh = OpenSSL::PKey::DH.new - dh.set_pqg(key.p, nil, key.g) - dh - else - if defined?(OpenSSL::PKey::EC) && OpenSSL::PKey::EC === key - ec = OpenSSL::PKey::EC.new(key.group) - ec.public_key = key.public_key - ec - else - raise "unknown key type" - end - end - end end module OpenSSL::Certs |