diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2017-08-13 22:53:45 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2017-08-24 21:01:09 +0900 |
commit | a0019110ddc97d3a46b99dc822b520f41afae687 (patch) | |
tree | 2bfcfd0d98ced1adcfb2eb955b79aedd7acf5586 /test | |
parent | 6f16135eb52b2460f2ff6a447def285878567077 (diff) | |
download | ruby-openssl-a0019110ddc97d3a46b99dc822b520f41afae687.tar.gz |
test/utils: do not set ecdh_curves in start_server
An assumption in OpenSSL::TestSSL#test_get_ephemeral_key is that the
ephemeral key type is always EVP_PKEY_EC when negotiated with an ECDHE
cipher suite. This is not true if X25519 is chosen.
The test is passing because we happen to fix the group to P-256 in
start_server, but let's make it explicit.
Diffstat (limited to 'test')
-rw-r--r-- | test/test_ssl.rb | 70 | ||||
-rw-r--r-- | test/utils.rb | 4 |
2 files changed, 47 insertions, 27 deletions
diff --git a/test/test_ssl.rb b/test/test_ssl.rb index 32879b7d..418365a4 100644 --- a/test/test_ssl.rb +++ b/test/test_ssl.rb @@ -1072,30 +1072,54 @@ end end def test_get_ephemeral_key - return unless OpenSSL::SSL::SSLSocket.method_defined?(:tmp_key) - pkey = OpenSSL::PKey - ciphers = { - 'ECDHE-RSA-AES128-SHA' => (pkey::EC if defined?(pkey::EC)), - 'DHE-RSA-AES128-SHA' => (pkey::DH if defined?(pkey::DH)), - 'AES128-SHA' => nil - } - conf_proc = Proc.new { |ctx| ctx.ciphers = 'ALL' } - start_server(ctx_proc: conf_proc) do |port| - ciphers.each do |cipher, ephemeral| + # OpenSSL >= 1.0.2 + unless OpenSSL::SSL::SSLSocket.method_defined?(:tmp_key) + pend "SSL_get_server_tmp_key() is not supported" + end + + if tls12_supported? + # kRSA + ctx_proc1 = proc { |ctx| + ctx.ssl_version = :TLSv1_2 + ctx.ciphers = "kRSA" + } + start_server(ctx_proc: ctx_proc1) do |port| ctx = OpenSSL::SSL::SSLContext.new - begin - ctx.ciphers = cipher - rescue OpenSSL::SSL::SSLError => e - next if /no cipher match/ =~ e.message - raise - end - server_connect(port, ctx) do |ssl| - if ephemeral - assert_instance_of(ephemeral, ssl.tmp_key) - else - assert_nil(ssl.tmp_key) - end - end + ctx.ssl_version = :TLSv1_2 + ctx.ciphers = "kRSA" + server_connect(port, ctx) { |ssl| assert_nil ssl.tmp_key } + end + end + + if defined?(OpenSSL::PKey::DH) && tls12_supported? + # DHE + # TODO: How to test this with TLS 1.3? + ctx_proc2 = proc { |ctx| + ctx.ssl_version = :TLSv1_2 + ctx.ciphers = "EDH" + } + start_server(ctx_proc: ctx_proc2) do |port| + ctx = OpenSSL::SSL::SSLContext.new + ctx.ssl_version = :TLSv1_2 + ctx.ciphers = "EDH" + server_connect(port, ctx) { |ssl| + assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key + } + end + end + + if defined?(OpenSSL::PKey::EC) + # ECDHE + ctx_proc3 = proc { |ctx| + ctx.ciphers = "DEFAULT:!kRSA:!kEDH" + ctx.ecdh_curves = "P-256" + } + start_server(ctx_proc: ctx_proc3) do |port| + ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "DEFAULT:!kRSA:!kEDH" + server_connect(port, ctx) { |ssl| + assert_instance_of OpenSSL::PKey::EC, ssl.tmp_key + } end end end diff --git a/test/utils.rb b/test/utils.rb index 8e5fc55b..2f2701af 100644 --- a/test/utils.rb +++ b/test/utils.rb @@ -222,10 +222,6 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase ctx.cert = @svr_cert ctx.key = @svr_key ctx.tmp_dh_callback = proc { Fixtures.pkey_dh("dh1024") } - begin - ctx.ecdh_curves = "P-256" - rescue NotImplementedError - end ctx.verify_mode = verify_mode ctx_proc.call(ctx) if ctx_proc |