diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2020-03-09 17:41:13 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2020-03-09 17:41:13 +0900 |
commit | fc37d4711af7c50390614914521a99610d3fe18a (patch) | |
tree | ff57d77ff2bbfd848dc7e5c2f6c017f9f1c68628 /test/openssl | |
parent | 58e9fb31ef86e72e9f1156885acb4f6bcc9a7327 (diff) | |
parent | ec6542835874ca00e3a777334ee049b5b4cd02e4 (diff) | |
download | ruby-openssl-fc37d4711af7c50390614914521a99610d3fe18a.tar.gz |
Merge branch 'maint'
* maint:
ssl: set verify error code in the case of verify_hostname failure
x509: add error code and verify flags constants
Remove taint support
Restore compatibility with older versions of Ruby.
Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
config: support .include directive
Diffstat (limited to 'test/openssl')
-rw-r--r-- | test/openssl/test_config.rb | 54 | ||||
-rw-r--r-- | test/openssl/test_ssl.rb | 40 |
2 files changed, 94 insertions, 0 deletions
diff --git a/test/openssl/test_config.rb b/test/openssl/test_config.rb index 7b195d84..f65392c1 100644 --- a/test/openssl/test_config.rb +++ b/test/openssl/test_config.rb @@ -120,6 +120,49 @@ __EOC__ assert_equal("error in line 7: missing close square bracket", excn.message) end + def test_s_parse_include + in_tmpdir("ossl-config-include-test") do |dir| + Dir.mkdir("child") + File.write("child/a.conf", <<~__EOC__) + [default] + file-a = a.conf + [sec-a] + a = 123 + __EOC__ + File.write("child/b.cnf", <<~__EOC__) + [default] + file-b = b.cnf + [sec-b] + b = 123 + __EOC__ + File.write("include-child.conf", <<~__EOC__) + key_outside_section = value_a + .include child + __EOC__ + + include_file = <<~__EOC__ + [default] + file-main = unnamed + [sec-main] + main = 123 + .include = include-child.conf + __EOC__ + + # Include a file by relative path + c1 = OpenSSL::Config.parse(include_file) + assert_equal(["default", "sec-a", "sec-b", "sec-main"], c1.sections.sort) + assert_equal(["file-main", "file-a", "file-b"], c1["default"].keys) + assert_equal({"a" => "123"}, c1["sec-a"]) + assert_equal({"b" => "123"}, c1["sec-b"]) + assert_equal({"main" => "123", "key_outside_section" => "value_a"}, c1["sec-main"]) + + # Relative paths are from the working directory + assert_raise(OpenSSL::ConfigError) do + Dir.chdir("child") { OpenSSL::Config.parse(include_file) } + end + end + end + def test_s_load # alias of new c = OpenSSL::Config.load @@ -315,6 +358,17 @@ __EOC__ assert_not_equal(@it.sections.sort, c.sections.sort) end end + + private + + def in_tmpdir(*args) + Dir.mktmpdir(*args) do |dir| + dir = File.realpath(dir) + Dir.chdir(dir) do + yield dir + end + end + end end end diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 95232239..ce899ba0 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -939,6 +939,46 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end end + def test_verify_hostname_failure_error_code + ctx_proc = proc { |ctx| + exts = [ + ["keyUsage", "keyEncipherment,digitalSignature", true], + ["subjectAltName", "DNS:a.example.com"], + ] + ctx.cert = issue_cert(@svr, @svr_key, 4, exts, @ca_cert, @ca_key) + ctx.key = @svr_key + } + + start_server(ctx_proc: ctx_proc, ignore_listener_error: true) do |port| + verify_callback_ok = verify_callback_err = nil + + ctx = OpenSSL::SSL::SSLContext.new + ctx.verify_hostname = true + ctx.cert_store = OpenSSL::X509::Store.new + ctx.cert_store.add_cert(@ca_cert) + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + ctx.verify_callback = -> (preverify_ok, store_ctx) { + verify_callback_ok = preverify_ok + verify_callback_err = store_ctx.error + preverify_ok + } + + begin + sock = TCPSocket.new("127.0.0.1", port) + ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) + ssl.hostname = "b.example.com" + assert_handshake_error { ssl.connect } + assert_equal false, verify_callback_ok + code_expected = openssl?(1, 0, 2) || defined?(OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH) ? + OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH : + OpenSSL::X509::V_ERR_CERT_REJECTED + assert_equal code_expected, verify_callback_err + ensure + sock&.close + end + end + end + def test_connect_certificate_verify_failed_exception_message start_server(ignore_listener_error: true) { |port| ctx = OpenSSL::SSL::SSLContext.new |