Merge branch 'maint'

* maint: ssl: set verify error code in the case of verify_hostname failure x509: add error code and verify flags constants Remove taint support Restore compatibility with older versions of Ruby. Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock config: support .include directive
author: Kazuki Yamaguchi <k@rhe.jp> 2020-03-09 17:41:13 +0900
committer: Kazuki Yamaguchi <k@rhe.jp> 2020-03-09 17:41:13 +0900
commit: fc37d4711af7c50390614914521a99610d3fe18a (patch)
tree: ff57d77ff2bbfd848dc7e5c2f6c017f9f1c68628 /test/openssl
parent: 58e9fb31ef86e72e9f1156885acb4f6bcc9a7327 (diff)
parent: ec6542835874ca00e3a777334ee049b5b4cd02e4 (diff)
download: ruby-openssl-fc37d4711af7c50390614914521a99610d3fe18a.tar.gz
2 files changed, 94 insertions, 0 deletions
diff --git a/test/openssl/test_config.rb b/test/openssl/test_config.rb
index 7b195d84..f65392c1 100644
--- a/test/openssl/test_config.rb
+++ b/test/openssl/test_config.rb
@@ -120,6 +120,49 @@ __EOC__
     assert_equal("error in line 7: missing close square bracket", excn.message)
   end
 
+  def test_s_parse_include
+    in_tmpdir("ossl-config-include-test") do |dir|
+      Dir.mkdir("child")
+      File.write("child/a.conf", <<~__EOC__)
+        [default]
+        file-a = a.conf
+        [sec-a]
+        a = 123
+      __EOC__
+      File.write("child/b.cnf", <<~__EOC__)
+        [default]
+        file-b = b.cnf
+        [sec-b]
+        b = 123
+      __EOC__
+      File.write("include-child.conf", <<~__EOC__)
+        key_outside_section = value_a
+        .include child
+      __EOC__
+
+      include_file = <<~__EOC__
+        [default]
+        file-main = unnamed
+        [sec-main]
+        main = 123
+        .include = include-child.conf
+      __EOC__
+
+      # Include a file by relative path
+      c1 = OpenSSL::Config.parse(include_file)
+      assert_equal(["default", "sec-a", "sec-b", "sec-main"], c1.sections.sort)
+      assert_equal(["file-main", "file-a", "file-b"], c1["default"].keys)
+      assert_equal({"a" => "123"}, c1["sec-a"])
+      assert_equal({"b" => "123"}, c1["sec-b"])
+      assert_equal({"main" => "123", "key_outside_section" => "value_a"}, c1["sec-main"])
+
+      # Relative paths are from the working directory
+      assert_raise(OpenSSL::ConfigError) do
+        Dir.chdir("child") { OpenSSL::Config.parse(include_file) }
+      end
+    end
+  end
+
   def test_s_load
     # alias of new
     c = OpenSSL::Config.load
@@ -315,6 +358,17 @@ __EOC__
       assert_not_equal(@it.sections.sort, c.sections.sort)
     end
   end
+
+  private
+
+  def in_tmpdir(*args)
+    Dir.mktmpdir(*args) do |dir|
+      dir = File.realpath(dir)
+      Dir.chdir(dir) do
+        yield dir
+      end
+    end
+  end
 end
 
 end
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index 95232239..ce899ba0 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -939,6 +939,46 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
     end
   end
 
+  def test_verify_hostname_failure_error_code
+    ctx_proc = proc { |ctx|
+      exts = [
+        ["keyUsage", "keyEncipherment,digitalSignature", true],
+        ["subjectAltName", "DNS:a.example.com"],
+      ]
+      ctx.cert = issue_cert(@svr, @svr_key, 4, exts, @ca_cert, @ca_key)
+      ctx.key = @svr_key
+    }
+
+    start_server(ctx_proc: ctx_proc, ignore_listener_error: true) do |port|
+      verify_callback_ok = verify_callback_err = nil
+
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.verify_hostname = true
+      ctx.cert_store = OpenSSL::X509::Store.new
+      ctx.cert_store.add_cert(@ca_cert)
+      ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      ctx.verify_callback = -> (preverify_ok, store_ctx) {
+        verify_callback_ok = preverify_ok
+        verify_callback_err = store_ctx.error
+        preverify_ok
+      }
+
+      begin
+        sock = TCPSocket.new("127.0.0.1", port)
+        ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+        ssl.hostname = "b.example.com"
+        assert_handshake_error { ssl.connect }
+        assert_equal false, verify_callback_ok
+        code_expected = openssl?(1, 0, 2) || defined?(OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH) ?
+          OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH :
+          OpenSSL::X509::V_ERR_CERT_REJECTED
+        assert_equal code_expected, verify_callback_err
+      ensure
+        sock&.close
+      end
+    end
+  end
+
   def test_connect_certificate_verify_failed_exception_message
     start_server(ignore_listener_error: true) { |port|
       ctx = OpenSSL::SSL::SSLContext.new
author	Kazuki Yamaguchi <k@rhe.jp>	2020-03-09 17:41:13 +0900
committer	Kazuki Yamaguchi <k@rhe.jp>	2020-03-09 17:41:13 +0900
commit	fc37d4711af7c50390614914521a99610d3fe18a (patch)
tree	ff57d77ff2bbfd848dc7e5c2f6c017f9f1c68628 /test/openssl
parent	58e9fb31ef86e72e9f1156885acb4f6bcc9a7327 (diff)
parent	ec6542835874ca00e3a777334ee049b5b4cd02e4 (diff)
download	ruby-openssl-fc37d4711af7c50390614914521a99610d3fe18a.tar.gz