diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2016-09-07 08:28:47 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2016-09-07 09:11:19 +0900 |
commit | ad2e76adfb2a609cd53c4904b5a810e2b7f332ca (patch) | |
tree | 154a89e36143bd5803156753fde66871aa60cf82 /test | |
parent | bb315a0be77fe792863d9eae70694997ca994e13 (diff) | |
download | ruby-openssl-ad2e76adfb2a609cd53c4904b5a810e2b7f332ca.tar.gz |
test/test_ssl: refactor SNI tests
test_servername_cb{,_sets_context_on_the_socket,_can_return_nil,
_calls_setup_on_returned_ctx} and test_tlsext_hostname are highly
overlapping. So unify them into a single test_tlsext_hostname. The test
coverage does not change.
Diffstat (limited to 'test')
-rw-r--r-- | test/test_ssl.rb | 209 |
1 files changed, 40 insertions, 169 deletions
diff --git a/test/test_ssl.rb b/test/test_ssl.rb index cf704e24..23c508c0 100644 --- a/test/test_ssl.rb +++ b/test/test_ssl.rb @@ -620,39 +620,52 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end end - def test_servername_cb_sets_context_on_the_socket - hostname = 'example.org' - + def test_tlsext_hostname ctx3 = OpenSSL::SSL::SSLContext.new - ctx3.ciphers = "aNULL" + ctx3.ciphers = "ADH" ctx3.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } ctx3.security_level = 0 + assert_not_predicate ctx3, :frozen? - ctx2 = OpenSSL::SSL::SSLContext.new - ctx2.servername_cb = lambda { |args| ctx3 } - - sock1, sock2 = socketpair - - s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) - - ctx1 = OpenSSL::SSL::SSLContext.new - ctx1.ciphers = "aNULL" - ctx1.security_level = 0 + ctx_proc = -> ctx { + ctx.ciphers = "ALL:!aNULL" + ctx.servername_cb = proc { |ssl, servername| + case servername + when "foo.example.com" + ctx3 + when "bar.example.com" + nil + else + raise "unknown hostname" + end + } + } + start_server(ctx_proc: ctx_proc) do |server, port| + ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "ALL" + ctx.security_level = 0 - s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) - s1.hostname = hostname - t = Thread.new { s1.connect } + sock = TCPSocket.new("127.0.0.1", port) + begin + ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) + ssl.hostname = "foo.example.com" + ssl.connect + assert_match /^ADH-/, ssl.cipher[0], "the context returned by servername_cb is used" + assert_predicate ctx3, :frozen? + ensure + sock.close + end - assert_equal ctx2, s2.context - accepted = s2.accept - assert_equal ctx3, s2.context - assert t.value - ensure - s1.close if s1 - s2.close if s2 - sock1.close if sock1 - sock2.close if sock2 - accepted.close if accepted.respond_to?(:close) + sock = TCPSocket.new("127.0.0.1", port) + begin + ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) + ssl.hostname = "bar.example.com" + ssl.connect + assert_not_match /^A(EC)?DH-/, ssl.cipher[0], "the original context is used" + ensure + sock.close + end + end end def test_servername_cb_raises_an_exception_on_unknown_objects @@ -690,148 +703,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase sock2.close if sock2 end - def test_servername_cb_calls_setup_on_returned_ctx - hostname = 'example.org' - - ctx3 = OpenSSL::SSL::SSLContext.new - ctx3.ciphers = "aNULL" - ctx3.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } - ctx3.security_level = 0 - assert_not_predicate ctx3, :frozen? - - ctx2 = OpenSSL::SSL::SSLContext.new - ctx2.servername_cb = lambda { |args| ctx3 } - - sock1, sock2 = socketpair - - s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) - - ctx1 = OpenSSL::SSL::SSLContext.new - ctx1.ciphers = "aNULL" - ctx1.security_level = 0 - - s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) - s1.hostname = hostname - t = Thread.new { s1.connect } - - accepted = s2.accept - assert t.value - assert_predicate ctx3, :frozen? - ensure - s1.close if s1 - s2.close if s2 - sock1.close if sock1 - sock2.close if sock2 - accepted.close if accepted.respond_to?(:close) - end - - def test_servername_cb_can_return_nil - hostname = 'example.org' - - ctx2 = OpenSSL::SSL::SSLContext.new - ctx2.ciphers = "aNULL" - ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } - ctx2.security_level = 0 - ctx2.servername_cb = lambda { |args| nil } - - sock1, sock2 = socketpair - - s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) - - ctx1 = OpenSSL::SSL::SSLContext.new - ctx1.ciphers = "aNULL" - ctx1.security_level = 0 - - s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) - s1.hostname = hostname - t = Thread.new { s1.connect } - - accepted = s2.accept - assert t.value - ensure - s1.close if s1 - s2.close if s2 - sock1.close if sock1 - sock2.close if sock2 - accepted.close if accepted.respond_to?(:close) - end - - def test_servername_cb - lambda_called = nil - cb_socket = nil - hostname = 'example.org' - - ctx2 = OpenSSL::SSL::SSLContext.new - ctx2.ciphers = "aNULL" - ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } - ctx2.security_level = 0 - ctx2.servername_cb = lambda do |args| - cb_socket = args[0] - lambda_called = args[1] - ctx2 - end - - sock1, sock2 = socketpair - - s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2) - - ctx1 = OpenSSL::SSL::SSLContext.new - ctx1.ciphers = "aNULL" - ctx1.security_level = 0 - - s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1) - s1.hostname = hostname - t = Thread.new { s1.connect } - - accepted = s2.accept - assert t.value - assert_equal hostname, lambda_called - assert_equal s2, cb_socket - ensure - s1.close if s1 - s2.close if s2 - sock1.close if sock1 - sock2.close if sock2 - accepted.close if accepted.respond_to?(:close) - end - - def test_tlsext_hostname - return unless OpenSSL::SSL::SSLSocket.instance_methods.include?(:hostname) - - ctx_proc = Proc.new do |ctx, ssl| - foo_ctx = OpenSSL::SSL::SSLContext.new - - ctx.servername_cb = Proc.new do |ssl2, hostname| - case hostname - when 'foo.example.com' - foo_ctx - when 'bar.example.com' - nil - else - raise "unknown hostname #{hostname.inspect}" - end - end - end - - server_proc = Proc.new do |ctx, ssl| - readwrite_loop(ctx, ssl) - end - - start_server(ctx_proc: ctx_proc, server_proc: server_proc) do |server, port| - 2.times do |i| - ctx = OpenSSL::SSL::SSLContext.new - # disable RFC4507 support - ctx.options = OpenSSL::SSL::OP_NO_TICKET - server_connect(port, ctx) { |ssl| - ssl.hostname = (i & 1 == 0) ? 'foo.example.com' : 'bar.example.com' - str = "x" * 100 + "\n" - ssl.puts(str) - assert_equal(str, ssl.gets) - } - end - end - end - def test_verify_hostname_on_connect ctx_proc = proc { |ctx| now = Time.now |