diff options
59 files changed, 825 insertions, 881 deletions
diff --git a/.travis.yml b/.travis.yml index c770d989..9da14b8b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -17,10 +17,9 @@ script: matrix: fast_finish: true include: - - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=openssl-1.0.0 OSSL_MDEBUG=1 - - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=openssl-1.0.1 OSSL_MDEBUG=1 - - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=openssl-1.0.2 OSSL_MDEBUG=1 - - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=openssl-1.1.0 OSSL_MDEBUG=1 + - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=openssl-1.0.1 + - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=openssl-1.0.2 + - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=openssl-1.1.0 - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=libressl-2.3 - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=libressl-2.4 - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=libressl-2.5 @@ -4,10 +4,12 @@ Version 2.1.0 Compatibility notes ------------------- +* Support for OpenSSL version 0.9.8 and 1.0.0 is completely removed. + Supported platforms ------------------- -* OpenSSL 0.9.8, 1.0.0, 1.0.1, 1.0.2, 1.1.0 +* OpenSSL 1.0.1, 1.0.2, 1.1.0 * LibreSSL 2.3, 2.4, 2.5 * Ruby 2.3, 2.4 diff --git a/appveyor.yml b/appveyor.yml index c3e9c303..ccfbeca7 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -2,14 +2,14 @@ clone_depth: 10 install: - SET PATH=C:\Ruby%ruby_version%\bin;%PATH% - - appveyor DownloadFile http://dl.bintray.com/oneclick/OpenKnapsack/x64/openssl-1.0.1m-x64-windows.tar.lzma - - 7z e openssl-1.0.1m-x64-windows.tar.lzma - - 7z x -y -oC:\Ruby%ruby_version% openssl-1.0.1m-x64-windows.tar + - appveyor DownloadFile http://dl.bintray.com/oneclick/OpenKnapsack/x64/openssl-1.0.2j-x64-windows.tar.lzma + - 7z e openssl-1.0.2j-x64-windows.tar.lzma + - 7z x -y -oC:\Ruby%ruby_version% openssl-1.0.2j-x64-windows.tar - ruby -S rake install_dependencies build_script: - - rake -rdevkit compile -- --with-openssl-dir=C:\Ruby%ruby_version% + - rake -rdevkit compile -- --with-openssl-dir=C:\Ruby%ruby_version% --enable-debug test_script: - - rake test + - rake test OSSL_MDEBUG=1 deploy: off environment: matrix: diff --git a/docker-compose.yml b/docker-compose.yml index 4289654c..da21bbee 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,11 +3,10 @@ compile: &defaults environment: RUBY_VERSION: OPENSSL_VERSION: - MDEBUG: command: rake compile test: <<: *defaults - command: rake compile test + command: rake compile test OSSL_MDEBUG=1 -- --enable-debug debug: <<: *defaults command: /bin/bash diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 7033b0e2..a97883c1 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -37,6 +37,12 @@ have_library("socket", "socket") Logging::message "=== Checking for required stuff... ===\n" result = pkg_config("openssl") && have_header("openssl/ssl.h") unless result + if $mswin || $mingw + # required for static OpenSSL libraries + have_library("gdi32") # OpenSSL <= 1.0.2 (for RAND_screen()) + have_library("crypt32") + end + result = have_header("openssl/ssl.h") result &&= %w[crypto libeay32].any? {|lib| have_library(lib, "CRYPTO_malloc")} result &&= %w[ssl ssleay32].any? {|lib| have_library(lib, "SSL_new")} @@ -47,30 +53,18 @@ unless result end end -result = checking_for("OpenSSL version is 0.9.8 or later") { - try_static_assert("OPENSSL_VERSION_NUMBER >= 0x00908000L", "openssl/opensslv.h") -} -unless result - raise "OpenSSL 0.9.8 or later required." -end - -unless OpenSSL.check_func("SSL_library_init()", "openssl/ssl.h") - raise "Ignore OpenSSL broken by Apple.\nPlease use another openssl. (e.g. using `configure --with-openssl-dir=/path/to/openssl')" +unless checking_for("OpenSSL version is 1.0.1 or later") { + try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") } + raise "OpenSSL >= 1.0.1 or LibreSSL is required" end Logging::message "=== Checking for OpenSSL features... ===\n" # compile options -# check OPENSSL_NO_{SSL2,SSL3_METHOD} macro: on some environment, these symbols -# exist even if compiled with no-ssl2 or no-ssl3-method. -unless have_macro("OPENSSL_NO_SSL2", "openssl/opensslconf.h") - have_func("SSLv2_method") -end -unless have_macro("OPENSSL_NO_SSL3_METHOD", "openssl/opensslconf.h") - have_func("SSLv3_method") -end -have_func("TLSv1_1_method") -have_func("TLSv1_2_method") +# SSLv2 and SSLv3 may be removed in future versions of OpenSSL, and even macros +# like OPENSSL_NO_SSL2 may not be defined. +have_func("SSLv2_method") +have_func("SSLv3_method") have_func("RAND_egd") engines = %w{builtin_engines openbsd_dev_crypto dynamic 4758cca aep atalla chil cswift nuron sureware ubsec padlock capi gmp gost cryptodev aesni} @@ -78,30 +72,6 @@ engines.each { |name| OpenSSL.check_func_or_macro("ENGINE_load_#{name}", "openssl/engine.h") } -# added in 0.9.8X -have_func("EVP_CIPHER_CTX_new") -have_func("EVP_CIPHER_CTX_free") -OpenSSL.check_func_or_macro("SSL_CTX_clear_options", "openssl/ssl.h") - -# added in 1.0.0 -have_func("ASN1_TIME_adj") -have_func("EVP_CIPHER_CTX_copy") -have_func("EVP_PKEY_base_id") -have_func("HMAC_CTX_copy") -have_func("PKCS5_PBKDF2_HMAC") -have_func("X509_NAME_hash_old") -have_func("X509_STORE_CTX_get0_current_crl") -have_func("X509_STORE_set_verify_cb") -have_func("i2d_ASN1_SET_ANY") -have_func("SSL_SESSION_cmp") # removed -OpenSSL.check_func_or_macro("SSL_set_tlsext_host_name", "openssl/ssl.h") -have_struct_member("CRYPTO_THREADID", "ptr", "openssl/crypto.h") -have_func("EVP_PKEY_get0") - -# added in 1.0.1 -have_func("SSL_CTX_set_next_proto_select_cb") -have_macro("EVP_CTRL_GCM_GET_TAG", ['openssl/evp.h']) && $defs.push("-DHAVE_AUTHENTICATED_ENCRYPTION") - # added in 1.0.2 have_func("EC_curve_nist2nid") have_func("X509_REVOKED_dup") diff --git a/ext/openssl/openssl_missing.c b/ext/openssl/openssl_missing.c index 94ce85af..b36ef028 100644 --- a/ext/openssl/openssl_missing.c +++ b/ext/openssl/openssl_missing.c @@ -20,73 +20,6 @@ #include "openssl_missing.h" -/* added in 0.9.8X */ -#if !defined(HAVE_EVP_CIPHER_CTX_NEW) -EVP_CIPHER_CTX * -ossl_EVP_CIPHER_CTX_new(void) -{ - EVP_CIPHER_CTX *ctx = OPENSSL_malloc(sizeof(EVP_CIPHER_CTX)); - if (!ctx) - return NULL; - EVP_CIPHER_CTX_init(ctx); - return ctx; -} -#endif - -#if !defined(HAVE_EVP_CIPHER_CTX_FREE) -void -ossl_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) -{ - if (ctx) { - EVP_CIPHER_CTX_cleanup(ctx); - OPENSSL_free(ctx); - } -} -#endif - -/* added in 1.0.0 */ -#if !defined(HAVE_EVP_CIPHER_CTX_COPY) -/* - * this function does not exist in OpenSSL yet... or ever?. - * a future version may break this function. - * tested on 0.9.7d. - */ -int -ossl_EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) -{ - memcpy(out, in, sizeof(EVP_CIPHER_CTX)); - -#if !defined(OPENSSL_NO_ENGINE) - if (in->engine) ENGINE_add(out->engine); - if (in->cipher_data) { - out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size); - memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size); - } -#endif - - return 1; -} -#endif - -#if !defined(OPENSSL_NO_HMAC) -#if !defined(HAVE_HMAC_CTX_COPY) -int -ossl_HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in) -{ - if (!out || !in) - return 0; - - memcpy(out, in, sizeof(HMAC_CTX)); - - EVP_MD_CTX_copy(&out->md_ctx, &in->md_ctx); - EVP_MD_CTX_copy(&out->i_ctx, &in->i_ctx); - EVP_MD_CTX_copy(&out->o_ctx, &in->o_ctx); - - return 1; -} -#endif /* HAVE_HMAC_CTX_COPY */ -#endif /* NO_HMAC */ - /* added in 1.0.2 */ #if !defined(OPENSSL_NO_EC) #if !defined(HAVE_EC_CURVE_NIST2NID) diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h index 3d11aec2..cc31f6ac 100644 --- a/ext/openssl/openssl_missing.h +++ b/ext/openssl/openssl_missing.h @@ -12,53 +12,6 @@ #include "ruby/config.h" -/* added in 0.9.8X */ -#if !defined(HAVE_EVP_CIPHER_CTX_NEW) -EVP_CIPHER_CTX *ossl_EVP_CIPHER_CTX_new(void); -# define EVP_CIPHER_CTX_new ossl_EVP_CIPHER_CTX_new -#endif - -#if !defined(HAVE_EVP_CIPHER_CTX_FREE) -void ossl_EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *); -# define EVP_CIPHER_CTX_free ossl_EVP_CIPHER_CTX_free -#endif - -#if !defined(HAVE_SSL_CTX_CLEAR_OPTIONS) -# define SSL_CTX_clear_options(ctx, op) ((ctx)->options &= ~(op)) -#endif - -/* added in 1.0.0 */ -#if !defined(HAVE_EVP_PKEY_BASE_ID) -# define EVP_PKEY_base_id(pkey) EVP_PKEY_type((pkey)->type) -#endif - -#if !defined(HAVE_EVP_CIPHER_CTX_COPY) -int ossl_EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *, const EVP_CIPHER_CTX *); -# define EVP_CIPHER_CTX_copy ossl_EVP_CIPHER_CTX_copy -#endif - -#if !defined(HAVE_HMAC_CTX_COPY) -int ossl_HMAC_CTX_copy(HMAC_CTX *out, HMAC_CTX *in); -# define HMAC_CTX_copy ossl_HMAC_CTX_copy -#endif - -#if !defined(HAVE_X509_STORE_CTX_GET0_CURRENT_CRL) -# define X509_STORE_CTX_get0_current_crl(x) ((x)->current_crl) -#endif - -#if !defined(HAVE_X509_STORE_SET_VERIFY_CB) -# define X509_STORE_set_verify_cb X509_STORE_set_verify_cb_func -#endif - -#if !defined(HAVE_I2D_ASN1_SET_ANY) -# define i2d_ASN1_SET_ANY(sk, x) i2d_ASN1_SET_OF_ASN1_TYPE((sk), (x), \ - i2d_ASN1_TYPE, V_ASN1_SET, V_ASN1_UNIVERSAL, 0) -#endif - -#if !defined(HAVE_EVP_PKEY_GET0) -# define EVP_PKEY_get0(pk) (pk->pkey.ptr) -#endif - /* added in 1.0.2 */ #if !defined(OPENSSL_NO_EC) #if !defined(HAVE_EC_CURVE_NIST2NID) @@ -245,7 +198,7 @@ IMPL_PKEY_GETTER(EC_KEY, ec) #undef IMPL_KEY_ACCESSOR3 #endif /* HAVE_OPAQUE_OPENSSL */ -#if defined(HAVE_AUTHENTICATED_ENCRYPTION) && !defined(EVP_CTRL_AEAD_GET_TAG) +#if !defined(EVP_CTRL_AEAD_GET_TAG) # define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG # define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG # define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c index eb71b643..1a0da90c 100644 --- a/ext/openssl/ossl.c +++ b/ext/openssl/ossl.c @@ -426,6 +426,72 @@ ossl_fips_mode_set(VALUE self, VALUE enabled) #endif } +#if defined(OSSL_DEBUG) +#if !defined(LIBRESSL_VERSION_NUMBER) && \ + (OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(OPENSSL_NO_CRYPTO_MDEBUG) || \ + defined(CRYPTO_malloc_debug_init)) +/* + * call-seq: + * OpenSSL.mem_check_start -> nil + * + * Calls CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON). Starts tracking memory + * allocations. See also OpenSSL.print_mem_leaks. + * + * This is available only when built with a capable OpenSSL and --enable-debug + * configure option. + */ +static VALUE +mem_check_start(VALUE self) +{ + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); + return Qnil; +} + +/* + * call-seq: + * OpenSSL.print_mem_leaks -> true | false + * + * For debugging the Ruby/OpenSSL library. Calls CRYPTO_mem_leaks_fp(stderr). + * Prints detected memory leaks to standard error. This cleans the global state + * up thus you cannot use any methods of the library after calling this. + * + * Returns true if leaks detected, false otherwise. + * + * This is available only when built with a capable OpenSSL and --enable-debug + * configure option. + * + * === Example + * OpenSSL.mem_check_start + * NOT_GCED = OpenSSL::PKey::RSA.new(256) + * + * END { + * GC.start + * OpenSSL.print_mem_leaks # will print the leakage + * } + */ +static VALUE +print_mem_leaks(VALUE self) +{ +#if OPENSSL_VERSION_NUMBER >= 0x10100000 + int ret; +#endif + + BN_CTX_free(ossl_bn_ctx); + ossl_bn_ctx = NULL; + +#if OPENSSL_VERSION_NUMBER >= 0x10100000 + ret = CRYPTO_mem_leaks_fp(stderr); + if (ret < 0) + ossl_raise(eOSSLError, "CRYPTO_mem_leaks_fp"); + return ret ? Qfalse : Qtrue; +#else + CRYPTO_mem_leaks_fp(stderr); + return Qnil; +#endif +} +#endif +#endif + #if !defined(HAVE_OPENSSL_110_THREADING_API) /** * Stores locks needed for OpenSSL thread safety @@ -473,19 +539,11 @@ ossl_dyn_destroy_callback(struct CRYPTO_dynlock_value *l, const char *file, int OPENSSL_free(l); } -#ifdef HAVE_CRYPTO_THREADID_PTR static void ossl_threadid_func(CRYPTO_THREADID *id) { /* register native thread id */ CRYPTO_THREADID_set_pointer(id, (void *)rb_nativethread_self()); } -#else -static unsigned long ossl_thread_id(void) -{ - /* before OpenSSL 1.0, this is 'unsigned long' */ - return (unsigned long)rb_nativethread_self(); -} -#endif static void Init_ossl_locks(void) { @@ -503,11 +561,7 @@ static void Init_ossl_locks(void) rb_nativethread_lock_initialize(&ossl_locks[i]); } -#ifdef HAVE_CRYPTO_THREADID_PTR CRYPTO_THREADID_set_callback(ossl_threadid_func); -#else - CRYPTO_set_id_callback(ossl_thread_id); -#endif CRYPTO_set_locking_callback(ossl_lock_callback); CRYPTO_set_dynlock_create_callback(ossl_dyn_create_callback); CRYPTO_set_dynlock_lock_callback(ossl_dyn_lock_callback); @@ -1126,15 +1180,40 @@ Init_openssl(void) Init_ossl_ocsp(); Init_ossl_engine(); Init_ossl_asn1(); -} #if defined(OSSL_DEBUG) -/* - * Check if all symbols are OK with 'make LDSHARED=gcc all' - */ -int -main(int argc, char *argv[]) -{ - return 0; + /* + * For debugging Ruby/OpenSSL. Enable only when built with --enable-debug + */ +#if !defined(LIBRESSL_VERSION_NUMBER) && \ + (OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(OPENSSL_NO_CRYPTO_MDEBUG) || \ + defined(CRYPTO_malloc_debug_init)) + rb_define_module_function(mOSSL, "mem_check_start", mem_check_start, 0); + rb_define_module_function(mOSSL, "print_mem_leaks", print_mem_leaks, 0); + +#if defined(CRYPTO_malloc_debug_init) /* <= 1.0.2 */ + CRYPTO_malloc_debug_init(); +#endif + +#if defined(V_CRYPTO_MDEBUG_ALL) /* <= 1.0.2 */ + CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); +#endif + +#if OPENSSL_VERSION_NUMBER < 0x10100000 /* <= 1.0.2 */ + { + int i; + /* + * See crypto/ex_data.c; call def_get_class() immediately to avoid + * allocations. 15 is the maximum number that is used as the class index + * in OpenSSL 1.0.2. + */ + for (i = 0; i <= 15; i++) { + if (CRYPTO_get_ex_new_index(i, 0, (void *)"ossl-mdebug-dummy", 0, 0, 0) < 0) + rb_raise(rb_eRuntimeError, "CRYPTO_get_ex_new_index for " + "class index %d failed", i); + } + } +#endif +#endif +#endif } -#endif /* OSSL_DEBUG */ diff --git a/ext/openssl/ossl_asn1.c b/ext/openssl/ossl_asn1.c index 534796f5..9b554820 100644 --- a/ext/openssl/ossl_asn1.c +++ b/ext/openssl/ossl_asn1.c @@ -72,7 +72,6 @@ asn1time_to_time(const ASN1_TIME *time) return rb_funcall2(rb_cTime, rb_intern("utc"), 6, argv); } -#if defined(HAVE_ASN1_TIME_ADJ) void ossl_time_split(VALUE time, time_t *sec, int *days) { @@ -88,13 +87,6 @@ ossl_time_split(VALUE time, time_t *sec, int *days) *sec = NUM2TIMET(rb_funcall(num, rb_intern("%"), 1, INT2FIX(86400))); } } -#else -time_t -time_to_time_t(VALUE time) -{ - return (time_t)NUM2TIMET(rb_Integer(time)); -} -#endif /* * STRING conversion @@ -269,15 +261,10 @@ obj_to_asn1utime(VALUE time) time_t sec; ASN1_UTCTIME *t; -#if defined(HAVE_ASN1_TIME_ADJ) int off_days; ossl_time_split(time, &sec, &off_days); if (!(t = ASN1_UTCTIME_adj(NULL, sec, off_days, 0))) -#else - sec = time_to_time_t(time); - if (!(t = ASN1_UTCTIME_set(NULL, sec))) -#endif ossl_raise(eASN1Error, NULL); return t; @@ -289,15 +276,10 @@ obj_to_asn1gtime(VALUE time) time_t sec; ASN1_GENERALIZEDTIME *t; -#if defined(HAVE_ASN1_TIME_ADJ) int off_days; ossl_time_split(time, &sec, &off_days); if (!(t = ASN1_GENERALIZEDTIME_adj(NULL, sec, off_days, 0))) -#else - sec = time_to_time_t(time); - if (!(t = ASN1_GENERALIZEDTIME_set(NULL, sec))) -#endif ossl_raise(eASN1Error, NULL); return t; @@ -1291,7 +1273,7 @@ ossl_asn1cons_to_der(VALUE self) static VALUE ossl_asn1cons_each(VALUE self) { - rb_funcall(ossl_asn1_get_value(self), id_each, 0); + rb_block_call(ossl_asn1_get_value(self), id_each, 0, 0, 0, 0); return self; } diff --git a/ext/openssl/ossl_asn1.h b/ext/openssl/ossl_asn1.h index d6a170c8..939a96ce 100644 --- a/ext/openssl/ossl_asn1.h +++ b/ext/openssl/ossl_asn1.h @@ -14,15 +14,11 @@ * ASN1_DATE conversions */ VALUE asn1time_to_time(const ASN1_TIME *); -#if defined(HAVE_ASN1_TIME_ADJ) /* Splits VALUE to seconds and offset days. VALUE is typically a Time or an * Integer. This is used when updating ASN1_*TIME with ASN1_TIME_adj() or * X509_time_adj_ex(). We can't use ASN1_TIME_set() and X509_time_adj() because * they have the Year 2038 issue on sizeof(time_t) == 4 environment */ void ossl_time_split(VALUE, time_t *, int *); -#else -time_t time_to_time_t(VALUE); -#endif /* * ASN1_STRING conversions diff --git a/ext/openssl/ossl_bn.c b/ext/openssl/ossl_bn.c index 4e371cb2..dfe1b268 100644 --- a/ext/openssl/ossl_bn.c +++ b/ext/openssl/ossl_bn.c @@ -377,6 +377,21 @@ BIGNUM_BOOL1(is_one) */ BIGNUM_BOOL1(is_odd) +/* + * call-seq: + * bn.negative? => true | false + */ +static VALUE +ossl_bn_is_negative(VALUE self) +{ + BIGNUM *bn; + + GetBN(self, bn); + if (BN_is_zero(bn)) + return Qfalse; + return BN_is_negative(bn) ? Qtrue : Qfalse; +} + #define BIGNUM_1c(func) \ static VALUE \ ossl_bn_##func(VALUE self) \ @@ -856,6 +871,37 @@ ossl_bn_copy(VALUE self, VALUE other) return self; } +/* + * call-seq: + * +bn -> aBN + */ +static VALUE +ossl_bn_uplus(VALUE self) +{ + return self; +} + +/* + * call-seq: + * -bn -> aBN + */ +static VALUE +ossl_bn_uminus(VALUE self) +{ + VALUE obj; + BIGNUM *bn1, *bn2; + + GetBN(self, bn1); + obj = NewBN(cBN); + bn2 = BN_dup(bn1); + if (!bn2) + ossl_raise(eBNError, "BN_dup"); + SetBN(obj, bn2); + BN_set_negative(bn2, !BN_is_negative(bn2)); + + return obj; +} + #define BIGNUM_CMP(func) \ static VALUE \ ossl_bn_##func(VALUE self, VALUE other) \ @@ -1068,6 +1114,9 @@ Init_ossl_bn(void) rb_define_method(cBN, "num_bits", ossl_bn_num_bits, 0); /* num_bits_word */ + rb_define_method(cBN, "+@", ossl_bn_uplus, 0); + rb_define_method(cBN, "-@", ossl_bn_uminus, 0); + rb_define_method(cBN, "+", ossl_bn_add, 1); rb_define_method(cBN, "-", ossl_bn_sub, 1); rb_define_method(cBN, "*", ossl_bn_mul, 1); @@ -1101,6 +1150,7 @@ Init_ossl_bn(void) rb_define_method(cBN, "one?", ossl_bn_is_one, 0); /* is_word */ rb_define_method(cBN, "odd?", ossl_bn_is_odd, 0); + rb_define_method(cBN, "negative?", ossl_bn_is_negative, 0); /* zero * one diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c index 73b667b2..aed7fbb4 100644 --- a/ext/openssl/ossl_cipher.c +++ b/ext/openssl/ossl_cipher.c @@ -512,10 +512,8 @@ ossl_cipher_set_iv(VALUE self, VALUE iv) StringValue(iv); GetCipher(self, ctx); -#if defined(HAVE_AUTHENTICATED_ENCRYPTION) if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER) iv_len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx); -#endif if (!iv_len) iv_len = EVP_CIPHER_CTX_iv_length(ctx); if (RSTRING_LEN(iv) != iv_len) @@ -541,14 +539,9 @@ ossl_cipher_is_authenticated(VALUE self) GetCipher(self, ctx); -#if defined(HAVE_AUTHENTICATED_ENCRYPTION) return (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER) ? Qtrue : Qfalse; -#else - return Qfalse; -#endif } -#ifdef HAVE_AUTHENTICATED_ENCRYPTION /* * call-seq: * cipher.auth_data = string -> string @@ -722,13 +715,6 @@ ossl_cipher_set_iv_length(VALUE self, VALUE iv_length) return iv_length; } -#else -#define ossl_cipher_set_auth_data rb_f_notimplement -#define ossl_cipher_get_auth_tag rb_f_notimplement -#define ossl_cipher_set_auth_tag rb_f_notimplement -#define ossl_cipher_set_auth_tag_len rb_f_notimplement -#define ossl_cipher_set_iv_length rb_f_notimplement -#endif /* * call-seq: @@ -806,10 +792,8 @@ ossl_cipher_iv_length(VALUE self) int len = 0; GetCipher(self, ctx); -#if defined(HAVE_AUTHENTICATED_ENCRYPTION) if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER) len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx); -#endif if (!len) len = EVP_CIPHER_CTX_iv_length(ctx); diff --git a/ext/openssl/ossl_pkcs5.c b/ext/openssl/ossl_pkcs5.c index 47c5bfa3..7811c5fe 100644 --- a/ext/openssl/ossl_pkcs5.c +++ b/ext/openssl/ossl_pkcs5.c @@ -6,7 +6,6 @@ VALUE mPKCS5; VALUE ePKCS5; -#ifdef HAVE_PKCS5_PBKDF2_HMAC /* * call-seq: * PKCS5.pbkdf2_hmac(pass, salt, iter, keylen, digest) => string @@ -18,8 +17,6 @@ VALUE ePKCS5; * * +keylen+ - integer * * +digest+ - a string or OpenSSL::Digest object. * - * Available in OpenSSL >= 1.0.0. - * * Digests other than SHA1 may not be supported by other cryptography libraries. */ static VALUE @@ -43,10 +40,6 @@ ossl_pkcs5_pbkdf2_hmac(VALUE self, VALUE pass, VALUE salt, VALUE iter, VALUE key return str; } -#else -#define ossl_pkcs5_pbkdf2_hmac rb_f_notimplement -#endif - /* * call-seq: @@ -99,8 +92,7 @@ Init_ossl_pkcs5(void) * slowed down artificially in order to render possible attacks infeasible. * * PKCS5 offers support for PBKDF2 with an OpenSSL::Digest::SHA1-based - * HMAC, or an arbitrary Digest if the underlying version of OpenSSL - * already supports it (>= 1.0.0). + * HMAC, or an arbitrary Digest. * * === Parameters * ==== Password diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c index 6ab1b618..e161277d 100644 --- a/ext/openssl/ossl_pkey.c +++ b/ext/openssl/ossl_pkey.c @@ -92,7 +92,7 @@ pkey_new0(EVP_PKEY *pkey) case EVP_PKEY_DH: return ossl_dh_new(pkey); #endif -#if !defined(OPENSSL_NO_EC) && (OPENSSL_VERSION_NUMBER >= 0x0090802fL) +#if !defined(OPENSSL_NO_EC) case EVP_PKEY_EC: return ossl_ec_new(pkey); #endif diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c index 85085419..b21abc42 100644 --- a/ext/openssl/ossl_pkey_dsa.c +++ b/ext/openssl/ossl_pkey_dsa.c @@ -627,12 +627,6 @@ Init_ossl_dsa(void) * DSA, the Digital Signature Algorithm, is specified in NIST's * FIPS 186-3. It is an asymmetric public key algorithm that may be used * similar to e.g. RSA. - * Please note that for OpenSSL versions prior to 1.0.0 the digest - * algorithms OpenSSL::Digest::DSS (equivalent to SHA) or - * OpenSSL::Digest::DSS1 (equivalent to SHA-1) must be used for issuing - * signatures with a DSA key using OpenSSL::PKey#sign. - * Starting with OpenSSL 1.0.0, digest algorithms are no longer restricted, - * any Digest may be used for signing. */ cDSA = rb_define_class_under(mPKey, "DSA", cPKey); diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c index fc3f034a..ce347516 100644 --- a/ext/openssl/ossl_pkey_ec.c +++ b/ext/openssl/ossl_pkey_ec.c @@ -4,7 +4,7 @@ #include "ossl.h" -#if !defined(OPENSSL_NO_EC) && (OPENSSL_VERSION_NUMBER >= 0x0090802fL) +#if !defined(OPENSSL_NO_EC) #define EXPORT_PEM 0 #define EXPORT_DER 1 diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index eef7dbec..ef948dc5 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -51,31 +51,33 @@ static ID id_i_io, id_i_context, id_i_hostname; */ static const struct { const char *name; - SSL_METHOD *(*func)(void); /* FIXME: constify when dropping 0.9.8 */ + const SSL_METHOD *(*func)(void); int version; } ossl_ssl_method_tab[] = { #if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION) #define OSSL_SSL_METHOD_ENTRY(name, version) \ - { #name, (SSL_METHOD *(*)(void))TLS_method, version }, \ - { #name"_server", (SSL_METHOD *(*)(void))TLS_server_method, version }, \ - { #name"_client", (SSL_METHOD *(*)(void))TLS_client_method, version } + { #name, TLS_method, version }, \ + { #name"_server", TLS_server_method, version }, \ + { #name"_client", TLS_client_method, version } #else #define OSSL_SSL_METHOD_ENTRY(name, version) \ - { #name, (SSL_METHOD *(*)(void))name##_method, version }, \ - { #name"_server", (SSL_METHOD *(*)(void))name##_server_method, version }, \ - { #name"_client", (SSL_METHOD *(*)(void))name##_client_method, version } + { #name, name##_method, version }, \ + { #name"_server", name##_server_method, version }, \ + { #name"_client", name##_client_method, version } #endif -#if defined(HAVE_SSLV2_METHOD) +#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL2_METHOD) && defined(HAVE_SSLV2_METHOD) OSSL_SSL_METHOD_ENTRY(SSLv2, SSL2_VERSION), #endif -#if defined(HAVE_SSLV3_METHOD) +#if !defined(OPENSSL_NO_SSL3) && !defined(OPENSSL_NO_SSL3_METHOD) && defined(HAVE_SSLV3_METHOD) OSSL_SSL_METHOD_ENTRY(SSLv3, SSL3_VERSION), #endif +#if !defined(OPENSSL_NO_TLS1) && !defined(OPENSSL_NO_TLS1_METHOD) OSSL_SSL_METHOD_ENTRY(TLSv1, TLS1_VERSION), -#if defined(HAVE_TLSV1_1_METHOD) +#endif +#if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1_METHOD) OSSL_SSL_METHOD_ENTRY(TLSv1_1, TLS1_1_VERSION), #endif -#if defined(HAVE_TLSV1_2_METHOD) +#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2_METHOD) OSSL_SSL_METHOD_ENTRY(TLSv1_2, TLS1_2_VERSION), #endif OSSL_SSL_METHOD_ENTRY(SSLv23, 0), @@ -109,14 +111,12 @@ static VALUE ossl_sslctx_s_alloc(VALUE klass) { SSL_CTX *ctx; - long mode = SSL_MODE_ENABLE_PARTIAL_WRITE | - SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; + long mode = 0 | + SSL_MODE_ENABLE_PARTIAL_WRITE | + SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | + SSL_MODE_RELEASE_BUFFERS; VALUE obj; -#ifdef SSL_MODE_RELEASE_BUFFERS - mode |= SSL_MODE_RELEASE_BUFFERS; -#endif - obj = TypedData_Wrap_Struct(klass, &ossl_sslctx_type, 0); ctx = SSL_CTX_new(SSLv23_method()); if (!ctx) { @@ -168,7 +168,7 @@ ossl_sslctx_set_ssl_version(VALUE self, VALUE ssl_method) #if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION) int version = ossl_ssl_method_tab[i].version; #endif - SSL_METHOD *method = ossl_ssl_method_tab[i].func(); + const SSL_METHOD *method = ossl_ssl_method_tab[i].func(); if (SSL_CTX_set_ssl_version(ctx, method) != 1) ossl_raise(eSSLError, "SSL_CTX_set_ssl_version"); @@ -514,7 +514,6 @@ ossl_sslctx_add_extra_chain_cert_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, arg)) static VALUE ossl_sslctx_setup(VALUE self); -#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME static VALUE ossl_call_servername_cb(VALUE ary) { @@ -571,7 +570,6 @@ ssl_servername_cb(SSL *ssl, int *ad, void *arg) return SSL_TLSEXT_ERR_OK; } -#endif static void ssl_renegotiation_cb(const SSL *ssl) @@ -944,13 +942,11 @@ ossl_sslctx_setup(VALUE self) OSSL_Debug("SSL SESSION remove callback added"); } -#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME val = rb_attr_get(self, id_i_servername_cb); if (!NIL_P(val)) { SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); OSSL_Debug("SSL TLSEXT servername callback added"); } -#endif return Qtrue; } @@ -2092,7 +2088,6 @@ ossl_ssl_set_session(VALUE self, VALUE arg1) return arg1; } -#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME /* * call-seq: * ssl.hostname = hostname -> hostname @@ -2119,7 +2114,6 @@ ossl_ssl_set_hostname(VALUE self, VALUE arg) return arg; } -#endif /* * call-seq: @@ -2437,11 +2431,7 @@ Init_ossl_ssl(void) */ rb_attr(cSSLContext, rb_intern("session_remove_cb"), 1, 1, Qfalse); -#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qtrue); -#else - rb_define_const(mSSLExtConfig, "HAVE_TLSEXT_HOST_NAME", Qfalse); -#endif #ifdef TLS_DH_anon_WITH_AES_256_GCM_SHA384 rb_define_const(mSSLExtConfig, "TLS_DH_anon_WITH_AES_256_GCM_SHA384", Qtrue); @@ -2646,10 +2636,8 @@ Init_ossl_ssl(void) rb_define_method(cSSLSocket, "session=", ossl_ssl_set_session, 1); rb_define_method(cSSLSocket, "verify_result", ossl_ssl_get_verify_result, 0); rb_define_method(cSSLSocket, "client_ca", ossl_ssl_get_client_ca_list, 0); -#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME /* #hostname is defined in lib/openssl/ssl.rb */ rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1); -#endif # ifdef HAVE_SSL_GET_SERVER_TMP_KEY rb_define_method(cSSLSocket, "tmp_key", ossl_ssl_tmp_key, 0); # endif @@ -2691,18 +2679,10 @@ Init_ossl_ssl(void) ossl_ssl_def_const(OP_NO_SSLv2); ossl_ssl_def_const(OP_NO_SSLv3); ossl_ssl_def_const(OP_NO_TLSv1); -#if defined(SSL_OP_NO_TLSv1_1) ossl_ssl_def_const(OP_NO_TLSv1_1); -#endif -#if defined(SSL_OP_NO_TLSv1_2) ossl_ssl_def_const(OP_NO_TLSv1_2); -#endif -#if defined(SSL_OP_NO_TICKET) ossl_ssl_def_const(OP_NO_TICKET); -#endif -#if defined(SSL_OP_NO_COMPRESSION) ossl_ssl_def_const(OP_NO_COMPRESSION); -#endif ossl_ssl_def_const(OP_PKCS1_CHECK_1); ossl_ssl_def_const(OP_PKCS1_CHECK_2); ossl_ssl_def_const(OP_NETSCAPE_CA_DN_BUG); diff --git a/ext/openssl/ossl_ssl_session.c b/ext/openssl/ossl_ssl_session.c index 1b602a6c..fefbf28b 100644 --- a/ext/openssl/ossl_ssl_session.c +++ b/ext/openssl/ossl_ssl_session.c @@ -93,8 +93,8 @@ ossl_ssl_session_initialize_copy(VALUE self, VALUE other) return self; } -#if !defined(HAVE_SSL_SESSION_CMP) -int ossl_SSL_SESSION_cmp(const SSL_SESSION *a, const SSL_SESSION *b) +static int +ossl_SSL_SESSION_cmp(const SSL_SESSION *a, const SSL_SESSION *b) { unsigned int a_len; const unsigned char *a_sid = SSL_SESSION_get_id(a, &a_len); @@ -108,8 +108,6 @@ int ossl_SSL_SESSION_cmp(const SSL_SESSION *a, const SSL_SESSION *b) return CRYPTO_memcmp(a_sid, b_sid, a_len); } -#define SSL_SESSION_cmp(a, b) ossl_SSL_SESSION_cmp(a, b) -#endif /* * call-seq: @@ -124,7 +122,7 @@ static VALUE ossl_ssl_session_eq(VALUE val1, VALUE val2) GetSSLSession(val1, ctx1); SafeGetSSLSession(val2, ctx2); - switch (SSL_SESSION_cmp(ctx1, ctx2)) { + switch (ossl_SSL_SESSION_cmp(ctx1, ctx2)) { case 0: return Qtrue; default: return Qfalse; } diff --git a/ext/openssl/ossl_x509.c b/ext/openssl/ossl_x509.c index 19ec274a..8a061b06 100644 --- a/ext/openssl/ossl_x509.c +++ b/ext/openssl/ossl_x509.c @@ -20,15 +20,10 @@ ossl_x509_time_adjust(ASN1_TIME *s, VALUE time) { time_t sec; -#if defined(HAVE_ASN1_TIME_ADJ) int off_days; ossl_time_split(time, &sec, &off_days); return X509_time_adj_ex(s, off_days, 0, &sec); -#else - sec = time_to_time_t(time); - return X509_time_adj(s, 0, &sec); -#endif } void @@ -112,21 +107,15 @@ Init_ossl_x509(void) DefX509Const(V_FLAG_INHIBIT_MAP); /* Set by Store#flags= and StoreContext#flags=. */ DefX509Const(V_FLAG_NOTIFY_POLICY); -#if defined(X509_V_FLAG_EXTENDED_CRL_SUPPORT) /* Set by Store#flags= and StoreContext#flags=. Enables some additional * features including support for indirect signed CRLs. */ DefX509Const(V_FLAG_EXTENDED_CRL_SUPPORT); -#endif -#if defined(X509_V_FLAG_USE_DELTAS) /* Set by Store#flags= and StoreContext#flags=. Uses delta CRLs. If not * specified, deltas are ignored. */ DefX509Const(V_FLAG_USE_DELTAS); -#endif -#if defined(X509_V_FLAG_CHECK_SS_SIGNATURE) /* Set by Store#flags= and StoreContext#flags=. Enables checking of the * signature of the root self-signed CA. */ DefX509Const(V_FLAG_CHECK_SS_SIGNATURE); -#endif #if defined(X509_V_FLAG_TRUSTED_FIRST) /* Set by Store#flags= and StoreContext#flags=. When constructing a * certificate chain, search the Store first for the issuer certificate. @@ -161,10 +150,8 @@ Init_ossl_x509(void) DefX509Const(PURPOSE_ANY); /* Set by Store#purpose=. OCSP helper. */ DefX509Const(PURPOSE_OCSP_HELPER); -#if defined(X509_PURPOSE_TIMESTAMP_SIGN) /* Set by Store#purpose=. Time stamps signer. */ DefX509Const(PURPOSE_TIMESTAMP_SIGN); -#endif DefX509Const(TRUST_COMPAT); DefX509Const(TRUST_SSL_CLIENT); @@ -173,9 +160,7 @@ Init_ossl_x509(void) DefX509Const(TRUST_OBJECT_SIGN); DefX509Const(TRUST_OCSP_SIGN); DefX509Const(TRUST_OCSP_REQUEST); -#if defined(X509_TRUST_TSA) DefX509Const(TRUST_TSA); -#endif DefX509Default(CERT_AREA, cert_area); DefX509Default(CERT_DIR, cert_dir); diff --git a/ext/openssl/ossl_x509name.c b/ext/openssl/ossl_x509name.c index 4523e0d7..56816bdc 100644 --- a/ext/openssl/ossl_x509name.c +++ b/ext/openssl/ossl_x509name.c @@ -398,7 +398,6 @@ ossl_x509name_hash(VALUE self) return ULONG2NUM(hash); } -#ifdef HAVE_X509_NAME_HASH_OLD /* * call-seq: * name.hash_old => integer @@ -417,7 +416,6 @@ ossl_x509name_hash_old(VALUE self) return ULONG2NUM(hash); } -#endif /* * call-seq: @@ -486,9 +484,7 @@ Init_ossl_x509name(void) rb_define_alias(cX509Name, "<=>", "cmp"); rb_define_method(cX509Name, "eql?", ossl_x509name_eql, 1); rb_define_method(cX509Name, "hash", ossl_x509name_hash, 0); -#ifdef HAVE_X509_NAME_HASH_OLD rb_define_method(cX509Name, "hash_old", ossl_x509name_hash_old, 0); -#endif rb_define_method(cX509Name, "to_der", ossl_x509name_to_der, 0); utf8str = INT2NUM(V_ASN1_UTF8STRING); diff --git a/lib/openssl/digest.rb b/lib/openssl/digest.rb index 97ccbc95..b5729240 100644 --- a/lib/openssl/digest.rb +++ b/lib/openssl/digest.rb @@ -15,13 +15,10 @@ module OpenSSL class Digest - alg = %w(MD2 MD4 MD5 MDC2 RIPEMD160 SHA1) + alg = %w(MD2 MD4 MD5 MDC2 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512) if OPENSSL_VERSION_NUMBER < 0x10100000 alg += %w(DSS DSS1 SHA) end - if OPENSSL_VERSION_NUMBER > 0x00908000 - alg += %w(SHA224 SHA256 SHA384 SHA512) - end # Return the +data+ hash computed with +name+ Digest. +name+ is either the # long name or short name of a supported digest algorithm. diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb index 0ebece0b..4ea0ffaf 100644 --- a/lib/openssl/ssl.rb +++ b/lib/openssl/ssl.rb @@ -23,7 +23,7 @@ module OpenSSL :options => -> { opts = OpenSSL::SSL::OP_ALL opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS - opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION) + opts |= OpenSSL::SSL::OP_NO_COMPRESSION opts |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3 opts }.call @@ -120,7 +120,7 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 # # The callback is invoked with an SSLSocket and a server name. The # callback must return an SSLContext for the server name or nil. - attr_accessor :servername_cb if ExtConfig::HAVE_TLSEXT_HOST_NAME + attr_accessor :servername_cb # call-seq: # SSLContext.new => ctx @@ -275,9 +275,7 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 include Buffering include SocketForwarder - if ExtConfig::HAVE_TLSEXT_HOST_NAME - attr_reader :hostname - end + attr_reader :hostname # The underlying IO object. attr_reader :io diff --git a/test/fixtures/pkey/dh1024.pem b/test/fixtures/pkey/dh1024.pem new file mode 100644 index 00000000..f99c757f --- /dev/null +++ b/test/fixtures/pkey/dh1024.pem @@ -0,0 +1,5 @@ +-----BEGIN DH PARAMETERS----- +MIGHAoGBAKnKQ8MNK6nYZzLrrcuTsLxuiJGXoOO5gT+tljOTbHBuiktdMTITzIY0 +pFxIvjG05D7HoBZQfrR0c92NGWPkAiCkhQKB8JCbPVzwNLDy6DZ0pmofDKrEsYHG +AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC +-----END DH PARAMETERS----- diff --git a/test/fixtures/pkey/dsa1024.pem b/test/fixtures/pkey/dsa1024.pem new file mode 100644 index 00000000..1bf49889 --- /dev/null +++ b/test/fixtures/pkey/dsa1024.pem @@ -0,0 +1,12 @@ +-----BEGIN DSA PRIVATE KEY----- +MIIBugIBAAKBgQCH9aAoXvWWThIjkA6D+nI1F9ksF9iDq594rkiGNOT9sPDOdB+n +D+qeeeeloRlj19ymCSADPI0ZLRgkchkAEnY2RnqnhHOjVf/roGgRbW+iQDMbQ9wa +/pvc6/fAbsu1goE1hBYjm98/sZEeXavj8tR56IXnjF1b6Nx0+sgeUKFKEQIVAMiz +4BJUFeTtddyM4uadBM7HKLPRAoGAZdLBSYNGiij7vAjesF5mGUKTIgPd+JKuBEDx +OaBclsgfdoyoF/TMOkIty+PVlYD+//Vl2xnoUEIRaMXHwHfm0r2xUX++oeRaSScg +YizJdUxe5jvBuBszGPRc/mGpb9YvP0sB+FL1KmuxYmdODfCe51zl8uM/CVhouJ3w +DjmRGscCgYAuFlfC7p+e8huCKydfcv/beftqjewiOPpQ3u5uI6KPCtCJPpDhs3+4 +IihH2cPsAlqwGF4tlibW1+/z/OZ1AZinPK3y7b2jSJASEaPeEltVzB92hcd1khk2 +jTYcmSsV4VddplOPK9czytR/GbbibxsrhhgZUbd8LPbvIgaiadJ1PgIUBnJ/5vN2 +CVArsEzlPUCbohPvZnE= +-----END DSA PRIVATE KEY----- diff --git a/test/fixtures/pkey/dsa256.pem b/test/fixtures/pkey/dsa256.pem new file mode 100644 index 00000000..d9a407f7 --- /dev/null +++ b/test/fixtures/pkey/dsa256.pem @@ -0,0 +1,8 @@ +-----BEGIN DSA PRIVATE KEY----- +MIH3AgEAAkEAhk2libbY2a8y2Pt21+YPYGZeW6wzaW2yfj5oiClXro9XMR7XWLkE +9B7XxLNFCS2gmCCdMsMW1HulaHtLFQmB2wIVAM43JZrcgpu6ajZ01VkLc93gu/Ed +AkAOhujZrrKV5CzBKutKLb0GVyVWmdC7InoNSMZEeGU72rT96IjM59YzoqmD0pGM +3I1o4cGqg1D1DfM1rQlnN1eSAkBq6xXfEDwJ1mLNxF6q8Zm/ugFYWR5xcX/3wFiT +b4+EjHP/DbNh9Vm5wcfnDBJ1zKvrMEf2xqngYdrV/3CiGJeKAhRvL57QvJZcQGvn +ISNX5cMzFHRW3Q== +-----END DSA PRIVATE KEY----- diff --git a/test/fixtures/pkey/dsa512.pem b/test/fixtures/pkey/dsa512.pem new file mode 100644 index 00000000..962c41cc --- /dev/null +++ b/test/fixtures/pkey/dsa512.pem @@ -0,0 +1,8 @@ +-----BEGIN DSA PRIVATE KEY----- +MIH4AgEAAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgTYiEEHaOYhkIxv0Ok +RZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB4DZGH7UyarcaGy6D +AkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqoji3/lHdKoVdTQNuR +S/m6DlCwhjRjiQ/lBRgCLCcaAkEAjN891JBjzpMj4bWgsACmMggFf57DS0Ti+5++ +Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxXoXi9OAIUBG98h4tilg6S +55jreJD3Se3slps= +-----END DSA PRIVATE KEY----- diff --git a/test/fixtures/pkey/p256.pem b/test/fixtures/pkey/p256.pem new file mode 100644 index 00000000..97c97d9f --- /dev/null +++ b/test/fixtures/pkey/p256.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIID49FDqcf1O1eO8saTgG70UbXQw9Fqwseliit2aWhH1oAoGCCqGSM49 +AwEHoUQDQgAEFglk2c+oVUIKQ64eZG9bhLNPWB7lSZ/ArK41eGy5wAzU/0G51Xtt +CeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg== +-----END EC PRIVATE KEY----- diff --git a/test/fixtures/pkey/rsa1024.pem b/test/fixtures/pkey/rsa1024.pem new file mode 100644 index 00000000..464de074 --- /dev/null +++ b/test/fixtures/pkey/rsa1024.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXgIBAAKBgQDLwsSw1ECnPtT+PkOgHhcGA71nwC2/nL85VBGnRqDxOqjVh7Cx +aKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbCz0layNqHyywQEVLFmp1cpIt/ +Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU3+l54E6lF/JfFEU5hwIDAQAB +AoGBAKSl/MQarye1yOysqX6P8fDFQt68VvtXkNmlSiKOGuzyho0M+UVSFcs6k1L0 +maDE25AMZUiGzuWHyaU55d7RXDgeskDMakD1v6ZejYtxJkSXbETOTLDwUWTn618T +gnb17tU1jktUtU67xK/08i/XodlgnQhs6VoHTuCh3Hu77O6RAkEA7+gxqBuZR572 +74/akiW/SuXm0SXPEviyO1MuSRwtI87B02D0qgV8D1UHRm4AhMnJ8MCs1809kMQE +JiQUCrp9mQJBANlt2ngBO14us6NnhuAseFDTBzCHXwUUu1YKHpMMmxpnGqaldGgX +sOZB3lgJsT9VlGf3YGYdkLTNVbogQKlKpB8CQQDiSwkb4vyQfDe8/NpU5Not0fII +8jsDUCb+opWUTMmfbxWRR3FBNu8wnym/m19N4fFj8LqYzHX4KY0oVPu6qvJxAkEA +wa5snNekFcqONLIE4G5cosrIrb74sqL8GbGb+KuTAprzj5z1K8Bm0UW9lTjVDjDi +qRYgZfZSL+x1P/54+xTFSwJAY1FxA/N3QPCXCjPh5YqFxAMQs2VVYTfg+t0MEcJD +dPMQD5JX6g5HKnHFg2mZtoXQrWmJSn7p8GJK8yNTopEErA== +-----END RSA PRIVATE KEY----- diff --git a/test/fixtures/pkey/rsa2048.pem b/test/fixtures/pkey/rsa2048.pem new file mode 100644 index 00000000..ac89cd88 --- /dev/null +++ b/test/fixtures/pkey/rsa2048.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAuV9ht9J7k4NBs38jOXvvTKY9gW8nLICSno5EETR1cuF7i4pN +s9I1QJGAFAX0BEO4KbzXmuOvfCpD3CU+Slp1enenfzq/t/e/1IRW0wkJUJUFQign +4CtrkJL+P07yx18UjyPlBXb81ApEmAB5mrJVSrWmqbjs07JbuS4QQGGXLc+Su96D +kYKmSNVjBiLxVVSpyZfAY3hD37d60uG+X8xdW5v68JkRFIhdGlb6JL8fllf/A/bl +NwdJOhVr9mESHhwGjwfSeTDPfd8ZLE027E5lyAVX9KZYcU00mOX+fdxOSnGqS/8J +DRh0EPHDL15RcJjV2J6vZjPb0rOYGDoMcH+94wIDAQABAoIBAAzsamqfYQAqwXTb +I0CJtGg6msUgU7HVkOM+9d3hM2L791oGHV6xBAdpXW2H8LgvZHJ8eOeSghR8+dgq +PIqAffo4x1Oma+FOg3A0fb0evyiACyrOk+EcBdbBeLo/LcvahBtqnDfiUMQTpy6V +seSoFCwuN91TSCeGIsDpRjbG1vxZgtx+uI+oH5+ytqJOmfCksRDCkMglGkzyfcl0 +Xc5CUhIJ0my53xijEUQl19rtWdMnNnnkdbG8PT3LZlOta5Do86BElzUYka0C6dUc +VsBDQ0Nup0P6rEQgy7tephHoRlUGTYamsajGJaAo1F3IQVIrRSuagi7+YpSpCqsW +wORqorkCgYEA7RdX6MDVrbw7LePnhyuaqTiMK+055/R1TqhB1JvvxJ1CXk2rDL6G +0TLHQ7oGofd5LYiemg4ZVtWdJe43BPZlVgT6lvL/iGo8JnrncB9Da6L7nrq/+Rvj +XGjf1qODCK+LmreZWEsaLPURIoR/Ewwxb9J2zd0CaMjeTwafJo1CZvcCgYEAyCgb +aqoWvUecX8VvARfuA593Lsi50t4MEArnOXXcd1RnXoZWhbx5rgO8/ATKfXr0BK/n +h2GF9PfKzHFm/4V6e82OL7gu/kLy2u9bXN74vOvWFL5NOrOKPM7Kg+9I131kNYOw +Ivnr/VtHE5s0dY7JChYWE1F3vArrOw3T00a4CXUCgYEA0SqY+dS2LvIzW4cHCe9k +IQqsT0yYm5TFsUEr4sA3xcPfe4cV8sZb9k/QEGYb1+SWWZ+AHPV3UW5fl8kTbSNb +v4ng8i8rVVQ0ANbJO9e5CUrepein2MPL0AkOATR8M7t7dGGpvYV0cFk8ZrFx0oId +U0PgYDotF/iueBWlbsOM430CgYEAqYI95dFyPI5/AiSkY5queeb8+mQH62sdcCCr +vd/w/CZA/K5sbAo4SoTj8dLk4evU6HtIa0DOP63y071eaxvRpTNqLUOgmLh+D6gS +Cc7TfLuFrD+WDBatBd5jZ+SoHccVrLR/4L8jeodo5FPW05A+9gnKXEXsTxY4LOUC +9bS4e1kCgYAqVXZh63JsMwoaxCYmQ66eJojKa47VNrOeIZDZvd2BPVf30glBOT41 +gBoDG3WMPZoQj9pb7uMcrnvs4APj2FIhMU8U15LcPAj59cD6S6rWnAxO8NFK7HQG +4Jxg3JNNf8ErQoCHb1B3oVdXJkmbJkARoDpBKmTCgKtP8ADYLmVPQw== +-----END RSA PRIVATE KEY----- diff --git a/test/test_asn1.rb b/test/test_asn1.rb index a0ac1ddb..48c1d06a 100644 --- a/test/test_asn1.rb +++ b/test/test_asn1.rb @@ -4,7 +4,7 @@ require_relative 'utils' class OpenSSL::TestASN1 < OpenSSL::TestCase def test_decode subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA") - key = OpenSSL::TestUtils::TEST_KEY_RSA1024 + key = Fixtures.pkey("rsa1024") now = Time.at(Time.now.to_i) # suppress usec s = 0xdeadbeafdeadbeafdeadbeafdeadbeaf exts = [ @@ -566,6 +566,13 @@ rEzBQ0F9dUyqQ9gyRg8KHhDfv9HzT1d/rnUZMkoombwYBRIUChGCYV0GnJcan2Zm assert_equal 17, ret[0][6] end + def test_constructive_each + data = [OpenSSL::ASN1::Integer.new(0), OpenSSL::ASN1::Integer.new(1)] + seq = OpenSSL::ASN1::Sequence.new data + + assert_equal data, seq.entries + end + private def assert_universal(tag, asn1) @@ -576,4 +583,4 @@ rEzBQ0F9dUyqQ9gyRg8KHhDfv9HzT1d/rnUZMkoombwYBRIUChGCYV0GnJcan2Zm assert_equal(:UNIVERSAL, asn1.tag_class) end -end if defined?(OpenSSL::TestUtils) +end diff --git a/test/test_bn.rb b/test/test_bn.rb index 37ba5e55..02c53f39 100644 --- a/test/test_bn.rb +++ b/test/test_bn.rb @@ -1,61 +1,272 @@ +# coding: us-ascii # frozen_string_literal: false require_relative 'utils' - -if defined?(OpenSSL::TestUtils) +require "prime" class OpenSSL::TestBN < OpenSSL::TestCase - def test_new_str - e1 = OpenSSL::BN.new(999.to_s(16), 16) # OpenSSL::BN.new(str, 16) must be most stable - e2 = OpenSSL::BN.new((2**107-1).to_s(16), 16) - assert_equal(e1, OpenSSL::BN.new("999")) - assert_equal(e2, OpenSSL::BN.new((2**107-1).to_s)) - assert_equal(e1, OpenSSL::BN.new("999", 10)) - assert_equal(e2, OpenSSL::BN.new((2**107-1).to_s, 10)) - assert_equal(e1, OpenSSL::BN.new("\x03\xE7", 2)) - assert_equal(e2, OpenSSL::BN.new("\a\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 2)) - assert_equal(e1, OpenSSL::BN.new("\x00\x00\x00\x02\x03\xE7", 0)) - assert_equal(e2, OpenSSL::BN.new("\x00\x00\x00\x0E\a\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 0)) - end - - def test_new_bn - e1 = OpenSSL::BN.new(999.to_s(16), 16) - e2 = OpenSSL::BN.new((2**107-1).to_s(16), 16) - assert_equal(e1, OpenSSL::BN.new(e1)) - assert_equal(e2, OpenSSL::BN.new(e2)) - end - - def test_new_integer - assert_equal(999.to_bn, OpenSSL::BN.new(999)) - assert_equal((2 ** 107 - 1).to_bn, OpenSSL::BN.new(2 ** 107 - 1)) - assert_equal(-999.to_bn, OpenSSL::BN.new(-999)) - assert_equal((-(2 ** 107 - 1)).to_bn, OpenSSL::BN.new(-(2 ** 107 - 1))) - end - - def test_to_bn - e1 = OpenSSL::BN.new(999.to_s(16), 16) - e2 = OpenSSL::BN.new((2**107-1).to_s(16), 16) - assert_equal(e1, 999.to_bn) - assert_equal(e2, (2**107-1).to_bn) - end - - def test_prime_p - assert_equal(true, OpenSSL::BN.new((2 ** 107 - 1).to_s(16), 16).prime?) - assert_equal(true, OpenSSL::BN.new((2 ** 127 - 1).to_s(16), 16).prime?(1)) - end - - def test_cmp - bn1 = OpenSSL::BN.new('1') - bn2 = OpenSSL::BN.new('1') - bn3 = OpenSSL::BN.new('2') - assert_equal(false, bn1 == nil) - assert_equal(true, bn1 != nil) - assert_equal(true, bn1 == bn2) - assert_equal(false, bn1 == bn3) - assert_equal(true, bn1.eql?(bn2)) - assert_equal(false, bn1.eql?(bn3)) - assert_equal(bn1.hash, bn2.hash) - assert_not_equal(bn3.hash, bn1.hash) + def setup + super + @e1 = OpenSSL::BN.new(999.to_s(16), 16) # OpenSSL::BN.new(str, 16) must be most stable + @e2 = OpenSSL::BN.new("-" + 999.to_s(16), 16) + @e3 = OpenSSL::BN.new((2**107-1).to_s(16), 16) + @e4 = OpenSSL::BN.new("-" + (2**107-1).to_s(16), 16) + end + + def test_new + assert_equal(@e1, OpenSSL::BN.new("999")) + assert_equal(@e1, OpenSSL::BN.new("999", 10)) + assert_equal(@e1, OpenSSL::BN.new("\x03\xE7", 2)) + assert_equal(@e1, OpenSSL::BN.new("\x00\x00\x00\x02\x03\xE7", 0)) + assert_equal(@e2, OpenSSL::BN.new("-999")) + assert_equal(@e2, OpenSSL::BN.new("-999", 10)) + assert_equal(@e2, OpenSSL::BN.new("\x00\x00\x00\x02\x83\xE7", 0)) + assert_equal(@e3, OpenSSL::BN.new((2**107-1).to_s)) + assert_equal(@e3, OpenSSL::BN.new((2**107-1).to_s, 10)) + assert_equal(@e3, OpenSSL::BN.new("\a\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 2)) + assert_equal(@e3, OpenSSL::BN.new("\x00\x00\x00\x0E\a\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 0)) + assert_equal(@e4, OpenSSL::BN.new("-" + (2**107-1).to_s)) + assert_equal(@e4, OpenSSL::BN.new("-" + (2**107-1).to_s, 10)) + assert_equal(@e4, OpenSSL::BN.new("\x00\x00\x00\x0E\x87\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 0)) + + e1copy = OpenSSL::BN.new(@e1) + assert_equal(@e1, e1copy) + e1copy.clear_bit!(0) #=> 998 + assert_not_equal(@e1, e1copy) + + assert_equal(@e1, OpenSSL::BN.new(999)) + assert_equal(@e2, OpenSSL::BN.new(-999)) + assert_equal(@e3, OpenSSL::BN.new(2**107-1)) + assert_equal(@e4, OpenSSL::BN.new(-(2**107-1))) + + assert_equal(@e1, 999.to_bn) + assert_equal(@e2, -999.to_bn) + assert_equal(@e3, (2**107-1).to_bn) + assert_equal(@e4, (-(2**107-1)).to_bn) + end + + def test_to_str + assert_equal("999", @e1.to_s(10)) + assert_equal("-999", @e2.to_s(10)) + assert_equal((2**107-1).to_s, @e3.to_s(10)) + assert_equal((-(2**107-1)).to_s, @e4.to_s(10)) + assert_equal("999", @e1.to_s) + + assert_equal("03E7", @e1.to_s(16)) + assert_equal("-03E7", @e2.to_s(16)) + assert_equal("07FFFFFFFFFFFFFFFFFFFFFFFFFF", @e3.to_s(16)) + assert_equal("-07FFFFFFFFFFFFFFFFFFFFFFFFFF", @e4.to_s(16)) + + assert_equal("\x03\xe7", @e1.to_s(2)) + assert_equal("\x03\xe7", @e2.to_s(2)) + assert_equal("\x07\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff", @e3.to_s(2)) + assert_equal("\x07\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff", @e4.to_s(2)) + + assert_equal("\x00\x00\x00\x02\x03\xe7", @e1.to_s(0)) + assert_equal("\x00\x00\x00\x02\x83\xe7", @e2.to_s(0)) + assert_equal("\x00\x00\x00\x0e\x07\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff", @e3.to_s(0)) + assert_equal("\x00\x00\x00\x0e\x87\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff", @e4.to_s(0)) + end + + def test_to_int + assert_equal(999, @e1.to_i) + assert_equal(-999, @e2.to_i) + assert_equal(2**107-1, @e3.to_i) + assert_equal(-(2**107-1), @e4.to_i) + + assert_equal(999, @e1.to_int) + end + + def test_coerce + assert_equal(["", "-999"], @e2.coerce("")) + assert_equal([1000, -999], @e2.coerce(1000)) + assert_raise(TypeError) { @e2.coerce(Class.new.new) } + end + + def test_zero_p + assert_equal(true, 0.to_bn.zero?) + assert_equal(false, 1.to_bn.zero?) + end + + def test_one_p + assert_equal(true, 1.to_bn.one?) + assert_equal(false, 2.to_bn.one?) + end + + def test_odd_p + assert_equal(true, 1.to_bn.odd?) + assert_equal(false, 2.to_bn.odd?) + end + + def test_negative_p + assert_equal(false, 0.to_bn.negative?) + assert_equal(false, @e1.negative?) + assert_equal(true, @e2.negative?) + end + + def test_sqr + assert_equal(1, 1.to_bn.sqr) + assert_equal(100, 10.to_bn.sqr) + end + + def test_four_ops + assert_equal(3, 1.to_bn + 2) + assert_equal(-1, 1.to_bn + -2) + assert_equal(-1, 1.to_bn - 2) + assert_equal(3, 1.to_bn - -2) + assert_equal(2, 1.to_bn * 2) + assert_equal(-2, 1.to_bn * -2) + assert_equal([0, 1], 1.to_bn / 2) + assert_equal([2, 0], 2.to_bn / 1) + assert_raise(OpenSSL::BNError) { 1.to_bn / 0 } + end + + def test_unary_plus_minus + assert_equal(999, +@e1) + assert_equal(-999, +@e2) + assert_equal(-999, -@e1) + assert_equal(+999, -@e2) + end + + def test_mod + assert_equal(1, 1.to_bn % 2) + assert_equal(0, 2.to_bn % 1) + assert_equal(-2, -2.to_bn % 7) end -end + def test_exp + assert_equal(1, 1.to_bn ** 5) + assert_equal(32, 2.to_bn ** 5) + end + + def test_gcd + assert_equal(1, 7.to_bn.gcd(5)) + assert_equal(8, 24.to_bn.gcd(16)) + end + + def test_mod_sqr + assert_equal(4, 3.to_bn.mod_sqr(5)) + assert_equal(0, 59.to_bn.mod_sqr(59)) + end + + def test_mod_inverse + assert_equal(2, 3.to_bn.mod_inverse(5)) + assert_raise(OpenSSL::BNError) { 3.to_bn.mod_inverse(6) } + end + + def test_mod_add + assert_equal(1, 3.to_bn.mod_add(5, 7)) + assert_equal(2, 3.to_bn.mod_add(5, 3)) + assert_equal(5, 3.to_bn.mod_add(-5, 7)) + end + + def test_mod_sub + assert_equal(1, 11.to_bn.mod_sub(3, 7)) + assert_equal(2, 11.to_bn.mod_sub(3, 3)) + assert_equal(5, 3.to_bn.mod_sub(5, 7)) + end + + def test_mod_mul + assert_equal(1, 2.to_bn.mod_mul(4, 7)) + assert_equal(5, 2.to_bn.mod_mul(-1, 7)) + end + + def test_mod_exp + assert_equal(1, 3.to_bn.mod_exp(2, 8)) + assert_equal(4, 2.to_bn.mod_exp(5, 7)) + end + + def test_bit_operations + e = 0b10010010.to_bn + assert_equal(0b10010011, e.set_bit!(0)) + assert_equal(0b10010011, e.set_bit!(1)) + assert_equal(0b1010010011, e.set_bit!(9)) + + e = 0b10010010.to_bn + assert_equal(0b10010010, e.clear_bit!(0)) + assert_equal(0b10010000, e.clear_bit!(1)) + + e = 0b10010010.to_bn + assert_equal(0b10010010, e.mask_bits!(8)) + assert_equal(0b10, e.mask_bits!(3)) + + e = 0b10010010.to_bn + assert_equal(false, e.bit_set?(0)) + assert_equal(true, e.bit_set?(1)) + assert_equal(false, e.bit_set?(1000)) + + e = 0b10010010.to_bn + assert_equal(0b1001001000, e << 2) + assert_equal(0b10010010, e) + assert_equal(0b1001001000, e.lshift!(2)) + assert_equal(0b1001001000, e) + + e = 0b10010010.to_bn + assert_equal(0b100100, e >> 2) + assert_equal(0b10010010, e) + assert_equal(0b100100, e.rshift!(2)) + assert_equal(0b100100, e) + end + + def test_random + 10.times { + r1 = OpenSSL::BN.rand(8) + assert_include(128..255, r1) + r2 = OpenSSL::BN.rand(8, -1) + assert_include(0..255, r2) + r3 = OpenSSL::BN.rand(8, 1) + assert_include(192..255, r3) + r4 = OpenSSL::BN.rand(8, 1, true) + assert_include(192..255, r4) + assert_equal(true, r4.odd?) + + r5 = OpenSSL::BN.rand_range(256) + assert_include(0..255, r5) + } + end + + def test_prime + p1 = OpenSSL::BN.generate_prime(32) + assert_include(0...2**32, p1) + assert_equal(true, Prime.prime?(p1.to_i)) + p2 = OpenSSL::BN.generate_prime(32, true) + assert_equal(true, Prime.prime?((p2.to_i - 1) / 2)) + p3 = OpenSSL::BN.generate_prime(32, false, 4) + assert_equal(1, p3 % 4) + p4 = OpenSSL::BN.generate_prime(32, false, 4, 3) + assert_equal(3, p4 % 4) + + assert_equal(true, p1.prime?) + assert_equal(true, p2.prime?) + assert_equal(true, p3.prime?) + assert_equal(true, p4.prime?) + assert_equal(true, @e3.prime?) + assert_equal(true, @e3.prime_fasttest?) + end + + def test_num_bits_bytes + assert_equal(10, @e1.num_bits) + assert_equal(2, @e1.num_bytes) + assert_equal(107, @e3.num_bits) + assert_equal(14, @e3.num_bytes) + assert_equal(0, 0.to_bn.num_bits) + assert_equal(0, 0.to_bn.num_bytes) + assert_equal(9, -256.to_bn.num_bits) + assert_equal(2, -256.to_bn.num_bytes) + end + + def test_comparison + assert_equal(false, @e1 == nil) + assert_equal(false, @e1 == -999) + assert_equal(true, @e1 == 999) + assert_equal(true, @e1 == 999.to_bn) + assert_equal(false, @e1.eql?(nil)) + assert_equal(false, @e1.eql?(999)) + assert_equal(true, @e1.eql?(999.to_bn)) + assert_equal(@e1.hash, 999.to_bn.hash) + assert_not_equal(@e1.hash, @e3.hash) + assert_equal(0, @e1.cmp(999)) + assert_equal(1, @e1.cmp(-999)) + assert_equal(0, @e1.ucmp(999)) + assert_equal(0, @e1.ucmp(-999)) + end end diff --git a/test/test_buffering.rb b/test/test_buffering.rb index f85353fc..73cfa9d8 100644 --- a/test/test_buffering.rb +++ b/test/test_buffering.rb @@ -86,4 +86,4 @@ class OpenSSL::TestBuffering < OpenSSL::TestCase assert_equal([97, 98, 99], res) end -end if defined?(OpenSSL::TestUtils) +end diff --git a/test/test_cipher.rb b/test/test_cipher.rb index ad0e87b4..ce64fbb9 100644 --- a/test/test_cipher.rb +++ b/test/test_cipher.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestCipher < OpenSSL::TestCase module Helper def has_cipher?(name) @@ -129,7 +127,7 @@ class OpenSSL::TestCipher < OpenSSL::TestCase assert_equal ct, cipher.update(pt) << cipher.final cipher = new_decryptor("aes-128-ctr", key: key, iv: iv, padding: 0) assert_equal pt, cipher.update(ct) << cipher.final - end if has_cipher?('aes-128-ctr') + end def test_ciphers OpenSSL::Cipher.ciphers.each{|name| @@ -165,10 +163,8 @@ class OpenSSL::TestCipher < OpenSSL::TestCase end def test_authenticated - if has_cipher?('aes-128-gcm') - cipher = OpenSSL::Cipher.new('aes-128-gcm') - assert_predicate(cipher, :authenticated?) - end + cipher = OpenSSL::Cipher.new('aes-128-gcm') + assert_predicate(cipher, :authenticated?) cipher = OpenSSL::Cipher.new('aes-128-cbc') assert_not_predicate(cipher, :authenticated?) end @@ -220,7 +216,7 @@ class OpenSSL::TestCipher < OpenSSL::TestCase cipher = new_decryptor("aes-128-gcm", key: key, iv: iv, auth_tag: tag, auth_data: aad) cipher.update(ct2) assert_raise(OpenSSL::Cipher::CipherError) { cipher.final } - end if has_cipher?("aes-128-gcm") + end def test_aes_gcm_variable_iv_len # GCM spec Appendix B Test Case 5 @@ -243,7 +239,7 @@ class OpenSSL::TestCipher < OpenSSL::TestCase assert_equal tag, cipher.auth_tag cipher = new_decryptor("aes-128-gcm", key: key, iv_len: 8, iv: iv, auth_tag: tag, auth_data: aad) assert_equal pt, cipher.update(ct) << cipher.final - end if has_cipher?("aes-128-gcm") + end def test_aes_ocb_tag_len # RFC 7253 Appendix A; the second sample @@ -295,7 +291,7 @@ class OpenSSL::TestCipher < OpenSSL::TestCase assert_equal ct1, ct2 assert_equal tag1, tag2 - end if has_cipher?("aes-128-gcm") + end private @@ -314,5 +310,3 @@ class OpenSSL::TestCipher < OpenSSL::TestCase end end - -end diff --git a/test/test_config.rb b/test/test_config.rb index 786bce9d..42f9d3c5 100644 --- a/test/test_config.rb +++ b/test/test_config.rb @@ -297,4 +297,4 @@ __EOC__ @it['newsection'] = {'a' => 'b'} assert_not_equal(@it.sections.sort, c.sections.sort) end -end if defined?(OpenSSL::TestUtils) +end diff --git a/test/test_digest.rb b/test/test_digest.rb index 9891d99a..e81d618d 100644 --- a/test/test_digest.rb +++ b/test/test_digest.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestDigest < OpenSSL::TestCase def setup super @@ -54,13 +52,10 @@ class OpenSSL::TestDigest < OpenSSL::TestCase end def test_digest_constants - algs = %w(MD4 MD5 RIPEMD160 SHA1) + algs = %w(MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512) if OpenSSL::OPENSSL_VERSION_NUMBER < 0x10100000 algs += %w(DSS1 SHA) end - if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00908000 - algs += %w(SHA224 SHA256 SHA384 SHA512) - end algs.each do |alg| assert_not_nil(OpenSSL::Digest.new(alg)) klass = OpenSSL::Digest.const_get(alg) @@ -73,34 +68,32 @@ class OpenSSL::TestDigest < OpenSSL::TestCase check_digest(OpenSSL::ASN1::ObjectId.new("SHA1")) end - if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00908000 - def encode16(str) - str.unpack("H*").first - end + def encode16(str) + str.unpack("H*").first + end - def test_098_features - sha224_a = "abd37534c7d9a2efb9465de931cd7055ffdb8879563ae98078d6d6d5" - sha256_a = "ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb" - sha384_a = "54a59b9f22b0b80880d8427e548b7c23abd873486e1f035dce9cd697e85175033caa88e6d57bc35efae0b5afd3145f31" - sha512_a = "1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75" - - assert_equal(sha224_a, OpenSSL::Digest::SHA224.hexdigest("a")) - assert_equal(sha256_a, OpenSSL::Digest::SHA256.hexdigest("a")) - assert_equal(sha384_a, OpenSSL::Digest::SHA384.hexdigest("a")) - assert_equal(sha512_a, OpenSSL::Digest::SHA512.hexdigest("a")) - - assert_equal(sha224_a, encode16(OpenSSL::Digest::SHA224.digest("a"))) - assert_equal(sha256_a, encode16(OpenSSL::Digest::SHA256.digest("a"))) - assert_equal(sha384_a, encode16(OpenSSL::Digest::SHA384.digest("a"))) - assert_equal(sha512_a, encode16(OpenSSL::Digest::SHA512.digest("a"))) - end + def test_sha2 + sha224_a = "abd37534c7d9a2efb9465de931cd7055ffdb8879563ae98078d6d6d5" + sha256_a = "ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb" + sha384_a = "54a59b9f22b0b80880d8427e548b7c23abd873486e1f035dce9cd697e85175033caa88e6d57bc35efae0b5afd3145f31" + sha512_a = "1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d560252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75" + + assert_equal(sha224_a, OpenSSL::Digest::SHA224.hexdigest("a")) + assert_equal(sha256_a, OpenSSL::Digest::SHA256.hexdigest("a")) + assert_equal(sha384_a, OpenSSL::Digest::SHA384.hexdigest("a")) + assert_equal(sha512_a, OpenSSL::Digest::SHA512.hexdigest("a")) + + assert_equal(sha224_a, encode16(OpenSSL::Digest::SHA224.digest("a"))) + assert_equal(sha256_a, encode16(OpenSSL::Digest::SHA256.digest("a"))) + assert_equal(sha384_a, encode16(OpenSSL::Digest::SHA384.digest("a"))) + assert_equal(sha512_a, encode16(OpenSSL::Digest::SHA512.digest("a"))) + end - def test_digest_by_oid_and_name_sha2 - check_digest(OpenSSL::ASN1::ObjectId.new("SHA224")) - check_digest(OpenSSL::ASN1::ObjectId.new("SHA256")) - check_digest(OpenSSL::ASN1::ObjectId.new("SHA384")) - check_digest(OpenSSL::ASN1::ObjectId.new("SHA512")) - end + def test_digest_by_oid_and_name_sha2 + check_digest(OpenSSL::ASN1::ObjectId.new("SHA224")) + check_digest(OpenSSL::ASN1::ObjectId.new("SHA256")) + check_digest(OpenSSL::ASN1::ObjectId.new("SHA384")) + check_digest(OpenSSL::ASN1::ObjectId.new("SHA512")) end def test_openssl_digest @@ -121,14 +114,4 @@ class OpenSSL::TestDigest < OpenSSL::TestCase d = OpenSSL::Digest.new(oid.oid) assert_not_nil(d) end - - def libressl? - OpenSSL::OPENSSL_VERSION.include?('LibreSSL') - end - - def version_since(verary) - (OpenSSL::OPENSSL_LIBRARY_VERSION.scan(/\d+/).map(&:to_i) <=> verary) != -1 - end -end - end diff --git a/test/test_engine.rb b/test/test_engine.rb index 75e45eb7..a987f267 100644 --- a/test/test_engine.rb +++ b/test/test_engine.rb @@ -96,4 +96,4 @@ class OpenSSL::TestEngine < OpenSSL::TestCase end end -end if defined?(OpenSSL::TestUtils) && defined?(OpenSSL::Engine) +end if defined?(OpenSSL::Engine) diff --git a/test/test_fips.rb b/test/test_fips.rb index 534dade0..9ba352cb 100644 --- a/test/test_fips.rb +++ b/test/test_fips.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestFIPS < OpenSSL::TestCase def test_fips_mode_is_reentrant @@ -11,5 +9,3 @@ class OpenSSL::TestFIPS < OpenSSL::TestCase end end - -end diff --git a/test/test_hmac.rb b/test/test_hmac.rb index dbde97d9..86857ba0 100644 --- a/test/test_hmac.rb +++ b/test/test_hmac.rb @@ -37,4 +37,4 @@ class OpenSSL::TestHMAC < OpenSSL::TestCase second = h1.update("test").hexdigest assert_equal first, second end -end if defined?(OpenSSL::TestUtils) +end diff --git a/test/test_ns_spki.rb b/test/test_ns_spki.rb index ac34613f..4905fba4 100644 --- a/test/test_ns_spki.rb +++ b/test/test_ns_spki.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestNSSPI < OpenSSL::TestCase def setup super @@ -17,8 +15,8 @@ class OpenSSL::TestNSSPI < OpenSSL::TestCase end def test_build_data - key1 = OpenSSL::TestUtils::TEST_KEY_RSA1024 - key2 = OpenSSL::TestUtils::TEST_KEY_RSA2048 + key1 = Fixtures.pkey("rsa1024") + key2 = Fixtures.pkey("rsa2048") spki = OpenSSL::Netscape::SPKI.new spki.challenge = "RandomString" spki.public_key = key1.public_key @@ -49,5 +47,3 @@ class OpenSSL::TestNSSPI < OpenSSL::TestCase assert_equal(OpenSSL::PKey::RSA, spki.public_key.class) end end - -end diff --git a/test/test_ocsp.rb b/test/test_ocsp.rb index 8881f25d..6677d751 100644 --- a/test/test_ocsp.rb +++ b/test/test_ocsp.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestOCSP < OpenSSL::TestCase def setup super @@ -13,7 +11,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase # @cert2 @ocsp_cert ca_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA") - @ca_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 + @ca_key = Fixtures.pkey("rsa1024") ca_exts = [ ["basicConstraints", "CA:TRUE", true], ["keyUsage", "cRLSign,keyCertSign", true], @@ -22,7 +20,7 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase ca_subj, @ca_key, 1, ca_exts, nil, nil) cert_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCA2") - @cert_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 + @cert_key = Fixtures.pkey("rsa1024") cert_exts = [ ["basicConstraints", "CA:TRUE", true], ["keyUsage", "cRLSign,keyCertSign", true], @@ -31,14 +29,14 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase cert_subj, @cert_key, 5, cert_exts, @ca_cert, @ca_key) cert2_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCert") - @cert2_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 + @cert2_key = Fixtures.pkey("rsa1024") cert2_exts = [ ] @cert2 = OpenSSL::TestUtils.issue_cert( cert2_subj, @cert2_key, 10, cert2_exts, @cert, @cert_key) ocsp_subj = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=TestCAOCSP") - @ocsp_key = OpenSSL::TestUtils::TEST_KEY_RSA2048 + @ocsp_key = Fixtures.pkey("rsa2048") ocsp_exts = [ ["extendedKeyUsage", "OCSPSigning", true], ] @@ -294,5 +292,3 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase assert_equal res.to_der, res.dup.to_der end end - -end diff --git a/test/test_pair.rb b/test/test_pair.rb index 9a5205f8..a462891d 100644 --- a/test/test_pair.rb +++ b/test/test_pair.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - require 'socket' require_relative 'ut_eof' @@ -13,7 +11,7 @@ module OpenSSL::SSLPairM ctx = OpenSSL::SSL::SSLContext.new() ctx.ciphers = "ADH" ctx.security_level = 0 - ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } + ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::Fixtures.pkey_dh("dh1024") } tcps = create_tcp_server(host, port) ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx) return ssls @@ -356,7 +354,7 @@ module OpenSSL::TestPairM ctx2 = OpenSSL::SSL::SSLContext.new ctx2.ciphers = "ADH" ctx2.security_level = 0 - ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } + ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::Fixtures.pkey_dh("dh1024") } sock1, sock2 = tcp_pair @@ -406,7 +404,7 @@ module OpenSSL::TestPairM ctx = OpenSSL::SSL::SSLContext.new() ctx.ciphers = "ADH" ctx.security_level = 0 - ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } + ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::Fixtures.pkey_dh("dh1024") } sock1, sock2 = tcp_pair @@ -489,5 +487,3 @@ class OpenSSL::TestPairLowlevelSocket < OpenSSL::TestCase include OpenSSL::SSLPairLowlevelSocket include OpenSSL::TestPairM end - -end diff --git a/test/test_pkcs12.rb b/test/test_pkcs12.rb index 403718b9..2a3b47f4 100644 --- a/test/test_pkcs12.rb +++ b/test/test_pkcs12.rb @@ -1,12 +1,8 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - module OpenSSL class TestPKCS12 < OpenSSL::TestCase - include OpenSSL::TestUtils - def setup super ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") @@ -16,7 +12,7 @@ module OpenSSL ["subjectKeyIdentifier","hash",false], ["authorityKeyIdentifier","keyid:always",false], ] - @cacert = issue_cert(ca, TEST_KEY_RSA2048, 1, ca_exts, nil, nil) + @cacert = issue_cert(ca, Fixtures.pkey("rsa2048"), 1, ca_exts, nil, nil) inter_ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Intermediate CA") inter_ca_key = OpenSSL::PKey.read <<-_EOS_ @@ -36,25 +32,26 @@ FJx7d3f29gkzynCLJDkCQGQZlEZJC4vWmWJGRKJ24P6MyQn3VsPfErSKOg4lvyM3 Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= -----END RSA PRIVATE KEY----- _EOS_ - @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, TEST_KEY_RSA2048) + @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, Fixtures.pkey("rsa2048")) exts = [ ["keyUsage","digitalSignature",true], ["subjectKeyIdentifier","hash",false], ] ee = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Ruby PKCS12 Test Certificate") - @mycert = issue_cert(ee, TEST_KEY_RSA1024, 3, exts, @inter_cacert, inter_ca_key) + @mykey = Fixtures.pkey("rsa1024") + @mycert = issue_cert(ee, @mykey, 3, exts, @inter_cacert, inter_ca_key) end def test_create pkcs12 = OpenSSL::PKCS12.create( "omg", "hello", - TEST_KEY_RSA1024, + @mykey, @mycert ) - assert_equal @mycert, pkcs12.certificate - assert_equal TEST_KEY_RSA1024, pkcs12.key + assert_equal @mycert.to_der, pkcs12.certificate.to_der + assert_equal @mykey.to_der, pkcs12.key.to_der assert_nil pkcs12.ca_certs end @@ -62,11 +59,11 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= pkcs12 = OpenSSL::PKCS12.create( nil, "hello", - TEST_KEY_RSA1024, + @mykey, @mycert ) - assert_equal @mycert, pkcs12.certificate - assert_equal TEST_KEY_RSA1024, pkcs12.key + assert_equal @mycert.to_der, pkcs12.certificate.to_der + assert_equal @mykey.to_der, pkcs12.key.to_der assert_nil pkcs12.ca_certs decoded = OpenSSL::PKCS12.new(pkcs12.to_der) @@ -79,7 +76,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= pkcs12 = OpenSSL::PKCS12.create( "omg", "hello", - TEST_KEY_RSA1024, + @mykey, @mycert, chain ) @@ -94,7 +91,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= pkcs12 = OpenSSL::PKCS12.create( passwd, "hello", - TEST_KEY_RSA1024, + @mykey, @mycert, chain ) @@ -104,7 +101,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= assert_include_cert @cacert, decoded.ca_certs assert_include_cert @inter_cacert, decoded.ca_certs assert_cert @mycert, decoded.certificate - assert_equal TEST_KEY_RSA1024.to_der, decoded.key.to_der + assert_equal @mykey.to_der, decoded.key.to_der end def test_create_with_bad_nid @@ -112,7 +109,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= OpenSSL::PKCS12.create( "omg", "hello", - TEST_KEY_RSA1024, + @mykey, @mycert, [], "foo" @@ -124,7 +121,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= OpenSSL::PKCS12.create( "omg", "hello", - TEST_KEY_RSA1024, + @mykey, @mycert, [], nil, @@ -136,7 +133,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= OpenSSL::PKCS12.create( "omg", "hello", - TEST_KEY_RSA1024, + @mykey, @mycert, [], nil, @@ -150,7 +147,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= OpenSSL::PKCS12.create( "omg", "hello", - TEST_KEY_RSA1024, + @mykey, @mycert, [], nil, @@ -163,7 +160,7 @@ Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es= OpenSSL::PKCS12.create( "omg", "hello", - TEST_KEY_RSA1024, + @mykey, @mycert, [], nil, @@ -216,7 +213,7 @@ vyl2WuMdEwQIMWFFphPkIUICAggA EOF p12 = OpenSSL::PKCS12.new(str, "abc123") - assert_equal TEST_KEY_RSA1024.to_der, p12.key.to_der + assert_equal @mykey.to_der, p12.key.to_der assert_equal @mycert.subject.to_der, p12.certificate.subject.to_der assert_equal [], Array(p12.ca_certs) end @@ -275,13 +272,13 @@ Kw4DAhoFAAQUYAuwVtGD1TdgbFK4Yal2XBgwUR4ECEawsN3rNaa6AgIIAA== EOF p12 = OpenSSL::PKCS12.new(str, "abc123") - assert_equal TEST_KEY_RSA1024.to_der, p12.key.to_der + assert_equal @mykey.to_der, p12.key.to_der assert_equal nil, p12.certificate assert_equal [], Array(p12.ca_certs) end def test_dup - p12 = OpenSSL::PKCS12.create("pass", "name", TEST_KEY_RSA1024, @mycert) + p12 = OpenSSL::PKCS12.create("pass", "name", @mykey, @mycert) assert_equal p12.to_der, p12.dup.to_der end @@ -311,5 +308,3 @@ Kw4DAhoFAAQUYAuwVtGD1TdgbFK4Yal2XBgwUR4ECEawsN3rNaa6AgIIAA== end end - -end diff --git a/test/test_pkcs5.rb b/test/test_pkcs5.rb index ad8132c2..59a7e7c9 100644 --- a/test/test_pkcs5.rb +++ b/test/test_pkcs5.rb @@ -93,6 +93,6 @@ class OpenSSL::TestPKCS5 < OpenSSL::TestCase value1 = OpenSSL::PKCS5.pbkdf2_hmac(p, s, c, dk_len, digest) value2 = OpenSSL::PKCS5.pbkdf2_hmac(p, s, c, dk_len, digest) assert_equal(value1, value2) - end if OpenSSL::PKCS5.respond_to?(:pbkdf2_hmac) + end -end if defined?(OpenSSL::TestUtils) +end diff --git a/test/test_pkcs7.rb b/test/test_pkcs7.rb index 48d59997..c0a04acd 100644 --- a/test/test_pkcs7.rb +++ b/test/test_pkcs7.rb @@ -1,13 +1,11 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestPKCS7 < OpenSSL::TestCase def setup super - @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024 - @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048 + @rsa1024 = Fixtures.pkey("rsa1024") + @rsa2048 = Fixtures.pkey("rsa2048") ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1") ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2") @@ -28,10 +26,6 @@ class OpenSSL::TestPKCS7 < OpenSSL::TestCase @ee2_cert = issue_cert(ee2, @rsa1024, 3, ee_exts, @ca_cert, @rsa2048) end - def issue_cert(*args) - OpenSSL::TestUtils.issue_cert(*args) - end - def test_signed store = OpenSSL::X509::Store.new store.add_cert(@ca_cert) @@ -285,5 +279,3 @@ END assert_equal(pki_message_content_pem, p7enc.to_pem) end end - -end diff --git a/test/test_pkey_dh.rb b/test/test_pkey_dh.rb index 866a3931..e7e76f97 100644 --- a/test/test_pkey_dh.rb +++ b/test/test_pkey_dh.rb @@ -1,11 +1,7 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase - DH1024 = OpenSSL::TestUtils::TEST_KEY_DH1024 - NEW_KEYLEN = 256 def test_new @@ -21,12 +17,13 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase end def test_DHparams + dh1024 = Fixtures.pkey_dh("dh1024") asn1 = OpenSSL::ASN1::Sequence([ - OpenSSL::ASN1::Integer(DH1024.p), - OpenSSL::ASN1::Integer(DH1024.g) + OpenSSL::ASN1::Integer(dh1024.p), + OpenSSL::ASN1::Integer(dh1024.g) ]) key = OpenSSL::PKey::DH.new(asn1.to_der) - assert_same_dh dup_public(DH1024), key + assert_same_dh dup_public(dh1024), key pem = <<~EOF -----BEGIN DH PARAMETERS----- @@ -36,14 +33,14 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase -----END DH PARAMETERS----- EOF key = OpenSSL::PKey::DH.new(pem) - assert_same_dh dup_public(DH1024), key + assert_same_dh dup_public(dh1024), key - assert_equal asn1.to_der, DH1024.to_der - assert_equal pem, DH1024.export + assert_equal asn1.to_der, dh1024.to_der + assert_equal pem, dh1024.export end def test_public_key - dh = OpenSSL::TestUtils::TEST_KEY_DH1024 + dh = Fixtures.pkey_dh("dh1024") public_key = dh.public_key assert_no_key(public_key) #implies public_key.public? is false! assert_equal(dh.to_der, public_key.to_der) @@ -51,14 +48,14 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase end def test_generate_key - dh = OpenSSL::TestUtils::TEST_KEY_DH1024.public_key # creates a copy + dh = Fixtures.pkey_dh("dh1024").public_key # creates a copy assert_no_key(dh) dh.generate_key! assert_key(dh) end def test_key_exchange - dh = OpenSSL::TestUtils::TEST_KEY_DH1024 + dh = Fixtures.pkey_dh("dh1024") dh2 = dh.public_key dh.generate_key! dh2.generate_key! @@ -100,5 +97,3 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase check_component(expected, key, [:p, :q, :g, :pub_key, :priv_key]) end end - -end diff --git a/test/test_pkey_dsa.rb b/test/test_pkey_dsa.rb index a4ccd1d8..52ff8579 100644 --- a/test/test_pkey_dsa.rb +++ b/test/test_pkey_dsa.rb @@ -2,11 +2,7 @@ require_relative 'utils' require 'base64' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase - DSA512 = OpenSSL::TestUtils::TEST_KEY_DSA512 - def test_private key = OpenSSL::PKey::DSA.new(256) assert(key.private?) @@ -37,27 +33,27 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase end def test_sign_verify + dsa512 = Fixtures.pkey("dsa512") data = "Sign me!" if defined?(OpenSSL::Digest::DSS1) - signature = DSA512.sign(OpenSSL::Digest::DSS1.new, data) - assert_equal true, DSA512.verify(OpenSSL::Digest::DSS1.new, signature, data) + signature = dsa512.sign(OpenSSL::Digest::DSS1.new, data) + assert_equal true, dsa512.verify(OpenSSL::Digest::DSS1.new, signature, data) end - return if OpenSSL::OPENSSL_VERSION_NUMBER <= 0x010000000 - signature = DSA512.sign("SHA1", data) - assert_equal true, DSA512.verify("SHA1", signature, data) + signature = dsa512.sign("SHA1", data) + assert_equal true, dsa512.verify("SHA1", signature, data) signature0 = (<<~'end;').unpack("m")[0] MCwCFH5h40plgU5Fh0Z4wvEEpz0eE9SnAhRPbkRB8ggsN/vsSEYMXvJwjGg/ 6g== end; - assert_equal true, DSA512.verify("SHA256", signature0, data) + assert_equal true, dsa512.verify("SHA256", signature0, data) signature1 = signature0.succ - assert_equal false, DSA512.verify("SHA256", signature1, data) + assert_equal false, dsa512.verify("SHA256", signature1, data) end def test_sys_sign_verify - key = OpenSSL::TestUtils::TEST_KEY_DSA256 + key = Fixtures.pkey("dsa256") data = 'Sign me!' digest = OpenSSL::Digest::SHA1.digest(data) sig = key.syssign(digest) @@ -66,17 +62,18 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase def test_DSAPrivateKey # OpenSSL DSAPrivateKey format; similar to RSAPrivateKey + dsa512 = Fixtures.pkey("dsa512") asn1 = OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::Integer(0), - OpenSSL::ASN1::Integer(DSA512.p), - OpenSSL::ASN1::Integer(DSA512.q), - OpenSSL::ASN1::Integer(DSA512.g), - OpenSSL::ASN1::Integer(DSA512.pub_key), - OpenSSL::ASN1::Integer(DSA512.priv_key) + OpenSSL::ASN1::Integer(dsa512.p), + OpenSSL::ASN1::Integer(dsa512.q), + OpenSSL::ASN1::Integer(dsa512.g), + OpenSSL::ASN1::Integer(dsa512.pub_key), + OpenSSL::ASN1::Integer(dsa512.priv_key) ]) key = OpenSSL::PKey::DSA.new(asn1.to_der) assert_predicate key, :private? - assert_same_dsa DSA512, key + assert_same_dsa dsa512, key pem = <<~EOF -----BEGIN DSA PRIVATE KEY----- @@ -89,14 +86,15 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase -----END DSA PRIVATE KEY----- EOF key = OpenSSL::PKey::DSA.new(pem) - assert_same_dsa DSA512, key + assert_same_dsa dsa512, key - assert_equal asn1.to_der, DSA512.to_der - assert_equal pem, DSA512.export + assert_equal asn1.to_der, dsa512.to_der + assert_equal pem, dsa512.export end def test_DSAPrivateKey_encrypted # key = abcdef + dsa512 = Fixtures.pkey("dsa512") pem = <<~EOF -----BEGIN DSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED @@ -111,35 +109,36 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase -----END DSA PRIVATE KEY----- EOF key = OpenSSL::PKey::DSA.new(pem, "abcdef") - assert_same_dsa DSA512, key + assert_same_dsa dsa512, key key = OpenSSL::PKey::DSA.new(pem) { "abcdef" } - assert_same_dsa DSA512, key + assert_same_dsa dsa512, key cipher = OpenSSL::Cipher.new("aes-128-cbc") - exported = DSA512.to_pem(cipher, "abcdef\0\1") - assert_same_dsa DSA512, OpenSSL::PKey::DSA.new(exported, "abcdef\0\1") + exported = dsa512.to_pem(cipher, "abcdef\0\1") + assert_same_dsa dsa512, OpenSSL::PKey::DSA.new(exported, "abcdef\0\1") assert_raise(OpenSSL::PKey::DSAError) { OpenSSL::PKey::DSA.new(exported, "abcdef") } end def test_PUBKEY + dsa512 = Fixtures.pkey("dsa512") asn1 = OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::ObjectId("DSA"), OpenSSL::ASN1::Sequence([ - OpenSSL::ASN1::Integer(DSA512.p), - OpenSSL::ASN1::Integer(DSA512.q), - OpenSSL::ASN1::Integer(DSA512.g) + OpenSSL::ASN1::Integer(dsa512.p), + OpenSSL::ASN1::Integer(dsa512.q), + OpenSSL::ASN1::Integer(dsa512.g) ]) ]), OpenSSL::ASN1::BitString( - OpenSSL::ASN1::Integer(DSA512.pub_key).to_der + OpenSSL::ASN1::Integer(dsa512.pub_key).to_der ) ]) key = OpenSSL::PKey::DSA.new(asn1.to_der) assert_not_predicate key, :private? - assert_same_dsa dup_public(DSA512), key + assert_same_dsa dup_public(dsa512), key pem = <<~EOF -----BEGIN PUBLIC KEY----- @@ -152,10 +151,10 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase -----END PUBLIC KEY----- EOF key = OpenSSL::PKey::DSA.new(pem) - assert_same_dsa dup_public(DSA512), key + assert_same_dsa dup_public(dsa512), key - assert_equal asn1.to_der, dup_public(DSA512).to_der - assert_equal pem, dup_public(DSA512).export + assert_equal asn1.to_der, dup_public(dsa512).to_der + assert_equal pem, dup_public(dsa512).export end def test_read_DSAPublicKey_pem @@ -196,5 +195,3 @@ fWLOqqkzFeRrYMDzUpl36XktY6Yq8EJYlW9pCMmBVNy/dQ== check_component(expected, key, [:p, :q, :g, :pub_key, :priv_key]) end end - -end diff --git a/test/test_pkey_ec.rb b/test/test_pkey_ec.rb index e281f80c..e1d1e942 100644 --- a/test/test_pkey_ec.rb +++ b/test/test_pkey_ec.rb @@ -1,11 +1,9 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) && defined?(OpenSSL::PKey::EC) +if defined?(OpenSSL::PKey::EC) class OpenSSL::TestEC < OpenSSL::PKeyTestCase - P256 = OpenSSL::TestUtils::TEST_KEY_EC_P256V1 - def test_ec_key builtin_curves = OpenSSL::PKey::EC.builtin_curves assert_not_empty builtin_curves @@ -74,17 +72,18 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase end def test_sign_verify + p256 = Fixtures.pkey("p256") data = "Sign me!" - signature = P256.sign("SHA1", data) - assert_equal true, P256.verify("SHA1", signature, data) + signature = p256.sign("SHA1", data) + assert_equal true, p256.verify("SHA1", signature, data) signature0 = (<<~'end;').unpack("m")[0] MEQCIEOTY/hD7eI8a0qlzxkIt8LLZ8uwiaSfVbjX2dPAvN11AiAQdCYx56Fq QdBp1B4sxJoA8jvODMMklMyBKVmudboA6A== end; - assert_equal true, P256.verify("SHA256", signature0, data) + assert_equal true, p256.verify("SHA256", signature0, data) signature1 = signature0.succ - assert_equal false, P256.verify("SHA256", signature1, data) + assert_equal false, p256.verify("SHA256", signature1, data) end def test_dsa_sign_verify @@ -100,16 +99,9 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase key = OpenSSL::PKey::EC.new("prime256v1").generate_key! size = key.group.order.num_bits / 8 + 1 dgst = (1..size).to_a.pack('C*') - begin - sig = key.dsa_sign_asn1(dgst) - # dgst is auto-truncated according to FIPS186-3 after openssl-0.9.8m - assert(key.dsa_verify_asn1(dgst + "garbage", sig)) - rescue OpenSSL::PKey::ECError => e - # just an exception for longer dgst before openssl-0.9.8m - assert_equal('ECDSA_sign: data too large for key size', e.message) - # no need to do following tests - return - end + sig = key.dsa_sign_asn1(dgst) + # dgst is auto-truncated according to FIPS186-3 after openssl-0.9.8m + assert(key.dsa_verify_asn1(dgst + "garbage", sig)) end def test_dh_compute_key @@ -124,21 +116,22 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase end def test_ECPrivateKey + p256 = Fixtures.pkey("p256") asn1 = OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::Integer(1), - OpenSSL::ASN1::OctetString(P256.private_key.to_s(2)), + OpenSSL::ASN1::OctetString(p256.private_key.to_s(2)), OpenSSL::ASN1::ASN1Data.new( [OpenSSL::ASN1::ObjectId("prime256v1")], 0, :CONTEXT_SPECIFIC ), OpenSSL::ASN1::ASN1Data.new( - [OpenSSL::ASN1::BitString(P256.public_key.to_bn.to_s(2))], + [OpenSSL::ASN1::BitString(p256.public_key.to_bn.to_s(2))], 1, :CONTEXT_SPECIFIC ) ]) key = OpenSSL::PKey::EC.new(asn1.to_der) assert_predicate key, :private? - assert_same_ec P256, key + assert_same_ec p256, key pem = <<~EOF -----BEGIN EC PRIVATE KEY----- @@ -148,13 +141,14 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase -----END EC PRIVATE KEY----- EOF key = OpenSSL::PKey::EC.new(pem) - assert_same_ec P256, key + assert_same_ec p256, key - assert_equal asn1.to_der, P256.to_der - assert_equal pem, P256.export + assert_equal asn1.to_der, p256.to_der + assert_equal pem, p256.export end def test_ECPrivateKey_encrypted + p256 = Fixtures.pkey("p256") # key = abcdef pem = <<~EOF -----BEGIN EC PRIVATE KEY----- @@ -167,31 +161,32 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase -----END EC PRIVATE KEY----- EOF key = OpenSSL::PKey::EC.new(pem, "abcdef") - assert_same_ec P256, key + assert_same_ec p256, key key = OpenSSL::PKey::EC.new(pem) { "abcdef" } - assert_same_ec P256, key + assert_same_ec p256, key cipher = OpenSSL::Cipher.new("aes-128-cbc") - exported = P256.to_pem(cipher, "abcdef\0\1") - assert_same_ec P256, OpenSSL::PKey::EC.new(exported, "abcdef\0\1") + exported = p256.to_pem(cipher, "abcdef\0\1") + assert_same_ec p256, OpenSSL::PKey::EC.new(exported, "abcdef\0\1") assert_raise(OpenSSL::PKey::ECError) { OpenSSL::PKey::EC.new(exported, "abcdef") } end def test_PUBKEY + p256 = Fixtures.pkey("p256") asn1 = OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::ObjectId("id-ecPublicKey"), OpenSSL::ASN1::ObjectId("prime256v1") ]), OpenSSL::ASN1::BitString( - P256.public_key.to_bn.to_s(2) + p256.public_key.to_bn.to_s(2) ) ]) key = OpenSSL::PKey::EC.new(asn1.to_der) assert_not_predicate key, :private? - assert_same_ec dup_public(P256), key + assert_same_ec dup_public(p256), key pem = <<~EOF -----BEGIN PUBLIC KEY----- @@ -200,10 +195,10 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase -----END PUBLIC KEY----- EOF key = OpenSSL::PKey::EC.new(pem) - assert_same_ec dup_public(P256), key + assert_same_ec dup_public(p256), key - assert_equal asn1.to_der, dup_public(P256).to_der - assert_equal pem, dup_public(P256).export + assert_equal asn1.to_der, dup_public(p256).to_der + assert_equal pem, dup_public(p256).export end def test_ec_group @@ -305,7 +300,7 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase raise if $!.message !~ /unsupported field/ end - p256_key = P256 + p256_key = Fixtures.pkey("p256") p256_g = p256_key.group assert_equal(p256_key.public_key, p256_g.generator.mul(p256_key.private_key)) diff --git a/test/test_pkey_rsa.rb b/test/test_pkey_rsa.rb index b24f1d55..a4ade134 100644 --- a/test/test_pkey_rsa.rb +++ b/test/test_pkey_rsa.rb @@ -2,11 +2,7 @@ require_relative 'utils' require 'base64' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase - RSA1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024 - def test_padding key = OpenSSL::PKey::RSA.new(512, 3) @@ -71,22 +67,23 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase end def test_sign_verify + rsa1024 = Fixtures.pkey("rsa1024") data = "Sign me!" - signature = RSA1024.sign("SHA1", data) - assert_equal true, RSA1024.verify("SHA1", signature, data) + signature = rsa1024.sign("SHA1", data) + assert_equal true, rsa1024.verify("SHA1", signature, data) signature0 = (<<~'end;').unpack("m")[0] oLCgbprPvfhM4pjFQiDTFeWI9Sk+Og7Nh9TmIZ/xSxf2CGXQrptlwo7NQ28+ WA6YQo8jPH4hSuyWIM4Gz4qRYiYRkl5TDMUYob94zm8Si1HxEiS9354tzvqS zS8MLW2BtNPuTubMxTItHGTnOzo9sUg0LAHVFt8kHG2NfKAw/gQ= end; - assert_equal true, RSA1024.verify("SHA256", signature0, data) + assert_equal true, rsa1024.verify("SHA256", signature0, data) signature1 = signature0.succ - assert_equal false, RSA1024.verify("SHA256", signature1, data) + assert_equal false, rsa1024.verify("SHA256", signature1, data) end def test_digest_state_irrelevant_sign - key = RSA1024 + key = Fixtures.pkey("rsa1024") digest1 = OpenSSL::Digest::SHA1.new digest2 = OpenSSL::Digest::SHA1.new data = 'Sign me!' @@ -97,7 +94,7 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase end def test_digest_state_irrelevant_verify - key = RSA1024 + key = Fixtures.pkey("rsa1024") digest1 = OpenSSL::Digest::SHA1.new digest2 = OpenSSL::Digest::SHA1.new data = 'Sign me!' @@ -116,20 +113,21 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase end def test_RSAPrivateKey + rsa1024 = Fixtures.pkey("rsa1024") asn1 = OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::Integer(0), - OpenSSL::ASN1::Integer(RSA1024.n), - OpenSSL::ASN1::Integer(RSA1024.e), - OpenSSL::ASN1::Integer(RSA1024.d), - OpenSSL::ASN1::Integer(RSA1024.p), - OpenSSL::ASN1::Integer(RSA1024.q), - OpenSSL::ASN1::Integer(RSA1024.dmp1), - OpenSSL::ASN1::Integer(RSA1024.dmq1), - OpenSSL::ASN1::Integer(RSA1024.iqmp) + OpenSSL::ASN1::Integer(rsa1024.n), + OpenSSL::ASN1::Integer(rsa1024.e), + OpenSSL::ASN1::Integer(rsa1024.d), + OpenSSL::ASN1::Integer(rsa1024.p), + OpenSSL::ASN1::Integer(rsa1024.q), + OpenSSL::ASN1::Integer(rsa1024.dmp1), + OpenSSL::ASN1::Integer(rsa1024.dmq1), + OpenSSL::ASN1::Integer(rsa1024.iqmp) ]) key = OpenSSL::PKey::RSA.new(asn1.to_der) assert_predicate key, :private? - assert_same_rsa RSA1024, key + assert_same_rsa rsa1024, key pem = <<~EOF -----BEGIN RSA PRIVATE KEY----- @@ -149,13 +147,14 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase -----END RSA PRIVATE KEY----- EOF key = OpenSSL::PKey::RSA.new(pem) - assert_same_rsa RSA1024, key + assert_same_rsa rsa1024, key - assert_equal asn1.to_der, RSA1024.to_der - assert_equal pem, RSA1024.export + assert_equal asn1.to_der, rsa1024.to_der + assert_equal pem, rsa1024.export end def test_RSAPrivateKey_encrypted + rsa1024 = Fixtures.pkey("rsa1024") # key = abcdef pem = <<~EOF -----BEGIN RSA PRIVATE KEY----- @@ -178,26 +177,27 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase -----END RSA PRIVATE KEY----- EOF key = OpenSSL::PKey::RSA.new(pem, "abcdef") - assert_same_rsa RSA1024, key + assert_same_rsa rsa1024, key key = OpenSSL::PKey::RSA.new(pem) { "abcdef" } - assert_same_rsa RSA1024, key + assert_same_rsa rsa1024, key cipher = OpenSSL::Cipher.new("aes-128-cbc") - exported = RSA1024.to_pem(cipher, "abcdef\0\1") - assert_same_rsa RSA1024, OpenSSL::PKey::RSA.new(exported, "abcdef\0\1") + exported = rsa1024.to_pem(cipher, "abcdef\0\1") + assert_same_rsa rsa1024, OpenSSL::PKey::RSA.new(exported, "abcdef\0\1") assert_raise(OpenSSL::PKey::RSAError) { OpenSSL::PKey::RSA.new(exported, "abcdef") } end def test_RSAPublicKey + rsa1024 = Fixtures.pkey("rsa1024") asn1 = OpenSSL::ASN1::Sequence([ - OpenSSL::ASN1::Integer(RSA1024.n), - OpenSSL::ASN1::Integer(RSA1024.e) + OpenSSL::ASN1::Integer(rsa1024.n), + OpenSSL::ASN1::Integer(rsa1024.e) ]) key = OpenSSL::PKey::RSA.new(asn1.to_der) assert_not_predicate key, :private? - assert_same_rsa dup_public(RSA1024), key + assert_same_rsa dup_public(rsa1024), key pem = <<~EOF -----BEGIN RSA PUBLIC KEY----- @@ -207,10 +207,11 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase -----END RSA PUBLIC KEY----- EOF key = OpenSSL::PKey::RSA.new(pem) - assert_same_rsa dup_public(RSA1024), key + assert_same_rsa dup_public(rsa1024), key end def test_PUBKEY + rsa1024 = Fixtures.pkey("rsa1024") asn1 = OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::Sequence([ OpenSSL::ASN1::ObjectId("rsaEncryption"), @@ -218,14 +219,14 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase ]), OpenSSL::ASN1::BitString( OpenSSL::ASN1::Sequence([ - OpenSSL::ASN1::Integer(RSA1024.n), - OpenSSL::ASN1::Integer(RSA1024.e) + OpenSSL::ASN1::Integer(rsa1024.n), + OpenSSL::ASN1::Integer(rsa1024.e) ]).to_der ) ]) key = OpenSSL::PKey::RSA.new(asn1.to_der) assert_not_predicate key, :private? - assert_same_rsa dup_public(RSA1024), key + assert_same_rsa dup_public(rsa1024), key pem = <<~EOF -----BEGIN PUBLIC KEY----- @@ -236,10 +237,10 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase -----END PUBLIC KEY----- EOF key = OpenSSL::PKey::RSA.new(pem) - assert_same_rsa dup_public(RSA1024), key + assert_same_rsa dup_public(rsa1024), key - assert_equal asn1.to_der, dup_public(RSA1024).to_der - assert_equal pem, dup_public(RSA1024).export + assert_equal asn1.to_der, dup_public(rsa1024).to_der + assert_equal pem, dup_public(rsa1024).export end def test_dup @@ -255,5 +256,3 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase check_component(expected, key, [:n, :e, :d, :p, :q, :dmp1, :dmq1, :iqmp]) end end - -end diff --git a/test/test_random.rb b/test/test_random.rb index 60794619..dd72d84d 100644 --- a/test/test_random.rb +++ b/test/test_random.rb @@ -12,4 +12,4 @@ class OpenSSL::TestRandom < OpenSSL::TestCase assert_equal("", OpenSSL::Random.pseudo_bytes(0)) assert_equal(12, OpenSSL::Random.pseudo_bytes(12).bytesize) end if OpenSSL::Random.methods.include?(:pseudo_bytes) -end if defined?(OpenSSL::TestCase) +end diff --git a/test/test_ssl.rb b/test/test_ssl.rb index 8d74f25f..b2f36c75 100644 --- a/test/test_ssl.rb +++ b/test/test_ssl.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestSSL < OpenSSL::SSLTestCase def test_ctx_options @@ -352,10 +350,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase assert ciphers_names.all?{|v| /A(EC)?DH/ !~ v }, "anon ciphers are disabled" assert ciphers_names.all?{|v| /(RC4|MD5|EXP|DES)/ !~ v }, "weak ciphers are disabled" assert_equal 0, ctx.options & OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS - if defined?(OpenSSL::SSL::OP_NO_COMPRESSION) # >= 1.0.0 - assert_equal OpenSSL::SSL::OP_NO_COMPRESSION, - ctx.options & OpenSSL::SSL::OP_NO_COMPRESSION - end + assert_equal OpenSSL::SSL::OP_NO_COMPRESSION, + ctx.options & OpenSSL::SSL::OP_NO_COMPRESSION end def test_post_connect_check_with_anon_ciphers @@ -625,7 +621,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase def test_tlsext_hostname ctx3 = OpenSSL::SSL::SSLContext.new ctx3.ciphers = "ADH" - ctx3.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } + ctx3.tmp_dh_callback = proc { Fixtures.pkey_dh("dh1024") } ctx3.security_level = 0 assert_not_predicate ctx3, :frozen? @@ -675,7 +671,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase ctx2 = OpenSSL::SSL::SSLContext.new ctx2.ciphers = "aNULL" - ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } + ctx2.tmp_dh_callback = proc { Fixtures.pkey_dh("dh1024") } ctx2.security_level = 0 ctx2.servername_cb = lambda { |args| Object.new } @@ -845,7 +841,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2 ctx.ssl_version = :TLSv1_2_client server_connect(port, ctx) { |ssl| assert_equal("TLSv1.2", ssl.ssl_version) } } - end if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10001000 + end def test_forbid_tls_v1_1_for_client ctx_proc = Proc.new { |ctx| ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_1 } @@ -854,7 +850,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2 ctx.ssl_version = :TLSv1_1 assert_handshake_error { server_connect(port, ctx) } } - end if defined?(OpenSSL::SSL::OP_NO_TLSv1_1) + end def test_forbid_tls_v1_1_from_server start_server_version(:TLSv1_1) { |server, port| @@ -862,7 +858,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2 ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_1 assert_handshake_error { server_connect(port, ctx) } } - end if defined?(OpenSSL::SSL::OP_NO_TLSv1_1) + end def test_forbid_tls_v1_2_for_client ctx_proc = Proc.new { |ctx| ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_2 } @@ -871,7 +867,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2 ctx.ssl_version = :TLSv1_2 assert_handshake_error { server_connect(port, ctx) } } - end if defined?(OpenSSL::SSL::OP_NO_TLSv1_2) + end def test_forbid_tls_v1_2_from_server start_server_version(:TLSv1_2) { |server, port| @@ -879,7 +875,7 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2 ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_TLSv1_2 assert_handshake_error { server_connect(port, ctx) } } - end if defined?(OpenSSL::SSL::OP_NO_TLSv1_2) + end end @@ -942,8 +938,7 @@ if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10002000 end end -if OpenSSL::OPENSSL_VERSION_NUMBER > 0x10001000 && - OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) +if OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) # NPN may be disabled by OpenSSL configure option def test_npn_protocol_selection_ary @@ -1051,7 +1046,7 @@ end # test it doesn't cause a segmentation fault ctx = OpenSSL::SSL::SSLContext.new ctx.ciphers = "aNULL" - ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } + ctx.tmp_dh_callback = proc { Fixtures.pkey_dh("dh1024") } ctx.security_level = 0 sock1, sock2 = socketpair @@ -1106,14 +1101,14 @@ end ctx.ciphers = "DH:!NULL" ctx.tmp_dh_callback = ->(*args) { called = true - OpenSSL::TestUtils::TEST_KEY_DH1024 + Fixtures.pkey_dh("dh1024") } } start_server(ctx_proc: ctx_proc) do |server, port| server_connect(port) { |ssl| assert called, "dh callback should be called" if ssl.respond_to?(:tmp_key) - assert_equal OpenSSL::TestUtils::TEST_KEY_DH1024.to_der, ssl.tmp_key.to_der + assert_equal Fixtures.pkey_dh("dh1024").to_der, ssl.tmp_key.to_der end } end @@ -1226,10 +1221,10 @@ end return end assert_equal(1, ctx.security_level) - # assert_raise(OpenSSL::SSL::SSLError) { ctx.key = OpenSSL::TestUtils::TEST_KEY_DSA512 } - # ctx.key = OpenSSL::TestUtils::TEST_KEY_RSA1024 + # assert_raise(OpenSSL::SSL::SSLError) { ctx.key = Fixtures.pkey("dsa512") } + # ctx.key = Fixtures.pkey("rsa1024") # ctx.security_level = 2 - # assert_raise(OpenSSL::SSL::SSLError) { ctx.key = OpenSSL::TestUtils::TEST_KEY_RSA1024 } + # assert_raise(OpenSSL::SSL::SSLError) { ctx.key = Fixtures.pkey("rsa1024") } pend "FIXME: SSLContext#key= currently does not raise because SSL_CTX_use_certificate() is delayed" end @@ -1296,5 +1291,3 @@ end } end end - -end diff --git a/test/test_ssl_session.rb b/test/test_ssl_session.rb index b2643edd..2f633b03 100644 --- a/test/test_ssl_session.rb +++ b/test/test_ssl_session.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestSSLSession < OpenSSL::SSLTestCase def test_session_equals session = OpenSSL::SSL::Session.new <<-SESSION @@ -150,7 +148,7 @@ __EOS__ def test_session_exts_read assert(OpenSSL::SSL::Session.new(DUMMY_SESSION)) - end if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x009080bf + end def test_client_session last_session = nil @@ -376,5 +374,3 @@ __EOS__ assert_equal(sess_orig.to_der, sess_dup.to_der) end end - -end diff --git a/test/test_x509attr.rb b/test/test_x509attr.rb index d7473f1a..249c1593 100644 --- a/test/test_x509attr.rb +++ b/test/test_x509attr.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestX509Attribute < OpenSSL::TestCase def test_new ef = OpenSSL::X509::ExtensionFactory.new @@ -63,5 +61,3 @@ class OpenSSL::TestX509Attribute < OpenSSL::TestCase assert_equal(attr.to_der, attr.dup.to_der) end end - -end diff --git a/test/test_x509cert.rb b/test/test_x509cert.rb index 0cfe4402..7f8426f7 100644 --- a/test/test_x509cert.rb +++ b/test/test_x509cert.rb @@ -1,23 +1,17 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestX509Certificate < OpenSSL::TestCase def setup super - @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024 - @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048 - @dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256 - @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512 + @rsa1024 = Fixtures.pkey("rsa1024") + @rsa2048 = Fixtures.pkey("rsa2048") + @dsa256 = Fixtures.pkey("dsa256") + @dsa512 = Fixtures.pkey("dsa512") @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1") end - def issue_cert(*args) - OpenSSL::TestUtils.issue_cert(*args) - end - def test_serial [1, 2**32, 2**100].each{|s| cert = issue_cert(@ca, @rsa2048, s, [], nil, nil) @@ -34,13 +28,10 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase ["authorityKeyIdentifier","keyid:always",false], ] - sha1 = OpenSSL::Digest::SHA1.new - dsa_digest = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new - [ - [@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dsa_digest], [@dsa512, dsa_digest] - ].each{|pk, digest| - cert = issue_cert(@ca, pk, 1, exts, nil, nil, digest: digest) + @rsa1024, @rsa2048, @dsa256, @dsa512, + ].each{|pk| + cert = issue_cert(@ca, pk, 1, exts, nil, nil) assert_equal(cert.extensions.sort_by(&:to_s)[2].value, OpenSSL::TestUtils.get_subject_key_id(cert)) cert = OpenSSL::X509::Certificate.new(cert.to_der) @@ -152,26 +143,15 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase } end - def test_dsig_algorithm_mismatch - assert_raise(OpenSSL::X509::CertificateError) do - issue_cert(@ca, @rsa2048, 1, [], nil, nil, digest: OpenSSL::Digest::DSS1.new) - end if OpenSSL::OPENSSL_VERSION_NUMBER < 0x10001000 # [ruby-core:42949] - end - def test_dsa_with_sha2 - begin - cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha256") - assert_equal("dsa_with_SHA256", cert.signature_algorithm) - rescue OpenSSL::X509::CertificateError - # dsa_with_sha2 not supported. skip following test. - return - end + cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha256") + assert_equal("dsa_with_SHA256", cert.signature_algorithm) # TODO: need more tests for dsa + sha2 # SHA1 is allowed from OpenSSL 1.0.0 (0.9.8 requires DSS1) cert = issue_cert(@ca, @dsa256, 1, [], nil, nil, digest: "sha1") assert_equal("dsaWithSHA1", cert.signature_algorithm) - end if defined?(OpenSSL::Digest::SHA256) + end def test_check_private_key cert = issue_cert(@ca, @rsa2048, 1, [], nil, nil) @@ -186,5 +166,3 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase false end end - -end diff --git a/test/test_x509crl.rb b/test/test_x509crl.rb index 44dfffc9..fd7b562a 100644 --- a/test/test_x509crl.rb +++ b/test/test_x509crl.rb @@ -1,28 +1,18 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestX509CRL < OpenSSL::TestCase def setup super - @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024 - @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048 - @dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256 - @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512 + @rsa1024 = Fixtures.pkey("rsa1024") + @rsa2048 = Fixtures.pkey("rsa2048") + @dsa256 = Fixtures.pkey("dsa256") + @dsa512 = Fixtures.pkey("dsa512") @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1") @ee2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE2") end - def issue_crl(*args) - OpenSSL::TestUtils.issue_crl(*args) - end - - def issue_cert(*args) - OpenSSL::TestUtils.issue_cert(*args) - end - def test_basic now = Time.at(Time.now.to_i) @@ -196,7 +186,7 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase cert = issue_cert(@ca, @dsa512, 1, [], nil, nil) crl = issue_crl([], 1, Time.now, Time.now+1600, [], - cert, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) + cert, @dsa512, OpenSSL::Digest::SHA1.new) assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) }) assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) }) assert_equal(false, crl.verify(@dsa256)) @@ -213,5 +203,3 @@ class OpenSSL::TestX509CRL < OpenSSL::TestCase false end end - -end diff --git a/test/test_x509ext.rb b/test/test_x509ext.rb index 58f03168..d9cde1bd 100644 --- a/test/test_x509ext.rb +++ b/test/test_x509ext.rb @@ -1,8 +1,6 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestX509Extension < OpenSSL::TestCase def setup super @@ -76,5 +74,3 @@ class OpenSSL::TestX509Extension < OpenSSL::TestCase assert_equal(ext.to_der, ext.dup.to_der) end end - -end diff --git a/test/test_x509name.rb b/test/test_x509name.rb index b30a02e6..486d0bbb 100644 --- a/test/test_x509name.rb +++ b/test/test_x509name.rb @@ -2,8 +2,6 @@ # frozen_string_literal: false require_relative 'utils' -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestX509Name < OpenSSL::TestCase def setup super @@ -306,7 +304,6 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase end def test_add_entry_street - return if OpenSSL::OPENSSL_VERSION_NUMBER < 0x009080df # 0.9.8m # openssl/crypto/objects/obj_mac.h 1.83 dn = [ ["DC", "org"], @@ -362,5 +359,3 @@ class OpenSSL::TestX509Name < OpenSSL::TestCase assert_equal(name.to_der, name.dup.to_der) end end - -end diff --git a/test/test_x509req.rb b/test/test_x509req.rb index 585dda1b..88156220 100644 --- a/test/test_x509req.rb +++ b/test/test_x509req.rb @@ -1,15 +1,13 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestX509Request < OpenSSL::TestCase def setup super - @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024 - @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048 - @dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256 - @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512 + @rsa1024 = Fixtures.pkey("rsa1024") + @rsa2048 = Fixtures.pkey("rsa2048") + @dsa256 = Fixtures.pkey("dsa256") + @dsa512 = Fixtures.pkey("dsa512") @dn = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=GOTOU Yuuzou") end @@ -28,7 +26,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase req = OpenSSL::X509::Request.new(req.to_der) assert_equal(@rsa1024.public_key.to_der, req.public_key.to_der) - req = issue_csr(0, @dn, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) + req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new) assert_equal(@dsa512.public_key.to_der, req.public_key.to_der) req = OpenSSL::X509::Request.new(req.to_der) assert_equal(@dsa512.public_key.to_der, req.public_key.to_der) @@ -122,7 +120,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase end def test_sign_and_verify_dsa - req = issue_csr(0, @dn, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) + req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::SHA1.new) assert_equal(false, request_error_returns_false { req.verify(@rsa1024) }) assert_equal(false, request_error_returns_false { req.verify(@rsa2048) }) assert_equal(false, req.verify(@dsa256)) @@ -131,18 +129,6 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase assert_equal(false, req.verify(@dsa512)) end - def test_sign_and_verify_rsa_dss1 - req = issue_csr(0, @dn, @rsa1024, OpenSSL::Digest::DSS1.new) - assert_equal(true, req.verify(@rsa1024)) - assert_equal(false, req.verify(@rsa2048)) - assert_equal(false, request_error_returns_false { req.verify(@dsa256) }) - assert_equal(false, request_error_returns_false { req.verify(@dsa512) }) - req.version = 1 - assert_equal(false, req.verify(@rsa1024)) - rescue OpenSSL::X509::RequestError - pend - end if defined?(OpenSSL::Digest::DSS1) - def test_sign_and_verify_dsa_md5 assert_raise(OpenSSL::X509::RequestError){ issue_csr(0, @dn, @dsa512, OpenSSL::Digest::MD5.new) } @@ -161,5 +147,3 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase false end end - -end diff --git a/test/test_x509store.rb b/test/test_x509store.rb index af0d8b28..dbab6424 100644 --- a/test/test_x509store.rb +++ b/test/test_x509store.rb @@ -1,15 +1,13 @@ # frozen_string_literal: false require_relative "utils" -if defined?(OpenSSL::TestUtils) - class OpenSSL::TestX509Store < OpenSSL::TestCase def setup super - @rsa1024 = OpenSSL::TestUtils::TEST_KEY_RSA1024 - @rsa2048 = OpenSSL::TestUtils::TEST_KEY_RSA2048 - @dsa256 = OpenSSL::TestUtils::TEST_KEY_DSA256 - @dsa512 = OpenSSL::TestUtils::TEST_KEY_DSA512 + @rsa1024 = Fixtures.pkey("rsa1024") + @rsa2048 = Fixtures.pkey("rsa2048") + @dsa256 = Fixtures.pkey("dsa256") + @dsa512 = Fixtures.pkey("dsa512") @ca1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA1") @ca2 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA2") @ee1 = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=EE1") @@ -26,14 +24,6 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase ctx.verify end - def issue_cert(*args) - OpenSSL::TestUtils.issue_cert(*args) - end - - def issue_crl(*args) - OpenSSL::TestUtils.issue_crl(*args) - end - def test_verify # OpenSSL uses time(2) while Time.now uses clock_gettime(CLOCK_REALTIME), # and there may be difference. @@ -209,17 +199,9 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase crl2 = issue_crl(revoke_info, 2, now+1800, now+3600, [], ca1_cert, @rsa2048, OpenSSL::Digest::SHA1.new) store.add_crl(crl1) - if /0\.9\.8.*-rhel/ =~ OpenSSL::OPENSSL_VERSION - # RedHat is distributing a patched version of OpenSSL that allows - # multiple CRL for a key (multi-crl.patch) - assert_nothing_raised do - store.add_crl(crl2) # add CRL issued by same CA twice. - end - else - assert_raise(OpenSSL::X509::StoreError){ - store.add_crl(crl2) # add CRL issued by same CA twice. - } - end + assert_raise(OpenSSL::X509::StoreError){ + store.add_crl(crl2) # add CRL issued by same CA twice. + } end def test_dup @@ -229,5 +211,3 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase assert_raise(NoMethodError) { ctx.dup } end end - -end diff --git a/test/utils.rb b/test/utils.rb index bbc9c7ef..54f75f25 100644 --- a/test/utils.rb +++ b/test/utils.rb @@ -9,6 +9,26 @@ begin rescue LoadError end +# Compile OpenSSL with crypto-mdebug and run this test suite with OSSL_MDEBUG=1 +# environment variable to enable memory leak check. +if ENV["OSSL_MDEBUG"] == "1" + if OpenSSL.respond_to?(:print_mem_leaks) + OpenSSL.mem_check_start + + END { + GC.start + case OpenSSL.print_mem_leaks + when nil + warn "mdebug: check what is printed" + when true + raise "mdebug: memory leaks detected" + end + } + else + warn "OSSL_MDEBUG=1 is specified but OpenSSL is not built with crypto-mdebug" + end +end + require "test/unit" require 'tempfile' require "rbconfig" @@ -16,122 +36,29 @@ require "socket" require "envutil" module OpenSSL::TestUtils - TEST_KEY_RSA1024 = OpenSSL::PKey::RSA.new <<-_end_of_pem_ ------BEGIN RSA PRIVATE KEY----- -MIICXgIBAAKBgQDLwsSw1ECnPtT+PkOgHhcGA71nwC2/nL85VBGnRqDxOqjVh7Cx -aKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbCz0layNqHyywQEVLFmp1cpIt/ -Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU3+l54E6lF/JfFEU5hwIDAQAB -AoGBAKSl/MQarye1yOysqX6P8fDFQt68VvtXkNmlSiKOGuzyho0M+UVSFcs6k1L0 -maDE25AMZUiGzuWHyaU55d7RXDgeskDMakD1v6ZejYtxJkSXbETOTLDwUWTn618T -gnb17tU1jktUtU67xK/08i/XodlgnQhs6VoHTuCh3Hu77O6RAkEA7+gxqBuZR572 -74/akiW/SuXm0SXPEviyO1MuSRwtI87B02D0qgV8D1UHRm4AhMnJ8MCs1809kMQE -JiQUCrp9mQJBANlt2ngBO14us6NnhuAseFDTBzCHXwUUu1YKHpMMmxpnGqaldGgX -sOZB3lgJsT9VlGf3YGYdkLTNVbogQKlKpB8CQQDiSwkb4vyQfDe8/NpU5Not0fII -8jsDUCb+opWUTMmfbxWRR3FBNu8wnym/m19N4fFj8LqYzHX4KY0oVPu6qvJxAkEA -wa5snNekFcqONLIE4G5cosrIrb74sqL8GbGb+KuTAprzj5z1K8Bm0UW9lTjVDjDi -qRYgZfZSL+x1P/54+xTFSwJAY1FxA/N3QPCXCjPh5YqFxAMQs2VVYTfg+t0MEcJD -dPMQD5JX6g5HKnHFg2mZtoXQrWmJSn7p8GJK8yNTopEErA== ------END RSA PRIVATE KEY----- - _end_of_pem_ - - TEST_KEY_RSA2048 = OpenSSL::PKey::RSA.new <<-_end_of_pem_ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAuV9ht9J7k4NBs38jOXvvTKY9gW8nLICSno5EETR1cuF7i4pN -s9I1QJGAFAX0BEO4KbzXmuOvfCpD3CU+Slp1enenfzq/t/e/1IRW0wkJUJUFQign -4CtrkJL+P07yx18UjyPlBXb81ApEmAB5mrJVSrWmqbjs07JbuS4QQGGXLc+Su96D -kYKmSNVjBiLxVVSpyZfAY3hD37d60uG+X8xdW5v68JkRFIhdGlb6JL8fllf/A/bl -NwdJOhVr9mESHhwGjwfSeTDPfd8ZLE027E5lyAVX9KZYcU00mOX+fdxOSnGqS/8J -DRh0EPHDL15RcJjV2J6vZjPb0rOYGDoMcH+94wIDAQABAoIBAAzsamqfYQAqwXTb -I0CJtGg6msUgU7HVkOM+9d3hM2L791oGHV6xBAdpXW2H8LgvZHJ8eOeSghR8+dgq -PIqAffo4x1Oma+FOg3A0fb0evyiACyrOk+EcBdbBeLo/LcvahBtqnDfiUMQTpy6V -seSoFCwuN91TSCeGIsDpRjbG1vxZgtx+uI+oH5+ytqJOmfCksRDCkMglGkzyfcl0 -Xc5CUhIJ0my53xijEUQl19rtWdMnNnnkdbG8PT3LZlOta5Do86BElzUYka0C6dUc -VsBDQ0Nup0P6rEQgy7tephHoRlUGTYamsajGJaAo1F3IQVIrRSuagi7+YpSpCqsW -wORqorkCgYEA7RdX6MDVrbw7LePnhyuaqTiMK+055/R1TqhB1JvvxJ1CXk2rDL6G -0TLHQ7oGofd5LYiemg4ZVtWdJe43BPZlVgT6lvL/iGo8JnrncB9Da6L7nrq/+Rvj -XGjf1qODCK+LmreZWEsaLPURIoR/Ewwxb9J2zd0CaMjeTwafJo1CZvcCgYEAyCgb -aqoWvUecX8VvARfuA593Lsi50t4MEArnOXXcd1RnXoZWhbx5rgO8/ATKfXr0BK/n -h2GF9PfKzHFm/4V6e82OL7gu/kLy2u9bXN74vOvWFL5NOrOKPM7Kg+9I131kNYOw -Ivnr/VtHE5s0dY7JChYWE1F3vArrOw3T00a4CXUCgYEA0SqY+dS2LvIzW4cHCe9k -IQqsT0yYm5TFsUEr4sA3xcPfe4cV8sZb9k/QEGYb1+SWWZ+AHPV3UW5fl8kTbSNb -v4ng8i8rVVQ0ANbJO9e5CUrepein2MPL0AkOATR8M7t7dGGpvYV0cFk8ZrFx0oId -U0PgYDotF/iueBWlbsOM430CgYEAqYI95dFyPI5/AiSkY5queeb8+mQH62sdcCCr -vd/w/CZA/K5sbAo4SoTj8dLk4evU6HtIa0DOP63y071eaxvRpTNqLUOgmLh+D6gS -Cc7TfLuFrD+WDBatBd5jZ+SoHccVrLR/4L8jeodo5FPW05A+9gnKXEXsTxY4LOUC -9bS4e1kCgYAqVXZh63JsMwoaxCYmQ66eJojKa47VNrOeIZDZvd2BPVf30glBOT41 -gBoDG3WMPZoQj9pb7uMcrnvs4APj2FIhMU8U15LcPAj59cD6S6rWnAxO8NFK7HQG -4Jxg3JNNf8ErQoCHb1B3oVdXJkmbJkARoDpBKmTCgKtP8ADYLmVPQw== ------END RSA PRIVATE KEY----- - _end_of_pem_ - - TEST_KEY_DSA256 = OpenSSL::PKey::DSA.new <<-_end_of_pem_ ------BEGIN DSA PRIVATE KEY----- -MIH3AgEAAkEAhk2libbY2a8y2Pt21+YPYGZeW6wzaW2yfj5oiClXro9XMR7XWLkE -9B7XxLNFCS2gmCCdMsMW1HulaHtLFQmB2wIVAM43JZrcgpu6ajZ01VkLc93gu/Ed -AkAOhujZrrKV5CzBKutKLb0GVyVWmdC7InoNSMZEeGU72rT96IjM59YzoqmD0pGM -3I1o4cGqg1D1DfM1rQlnN1eSAkBq6xXfEDwJ1mLNxF6q8Zm/ugFYWR5xcX/3wFiT -b4+EjHP/DbNh9Vm5wcfnDBJ1zKvrMEf2xqngYdrV/3CiGJeKAhRvL57QvJZcQGvn -ISNX5cMzFHRW3Q== ------END DSA PRIVATE KEY----- - _end_of_pem_ - - TEST_KEY_DSA512 = OpenSSL::PKey::DSA.new <<-_end_of_pem_ ------BEGIN DSA PRIVATE KEY----- -MIH4AgEAAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgTYiEEHaOYhkIxv0Ok -RZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB4DZGH7UyarcaGy6D -AkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqoji3/lHdKoVdTQNuR -S/m6DlCwhjRjiQ/lBRgCLCcaAkEAjN891JBjzpMj4bWgsACmMggFf57DS0Ti+5++ -Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxXoXi9OAIUBG98h4tilg6S -55jreJD3Se3slps= ------END DSA PRIVATE KEY----- - _end_of_pem_ - - TEST_KEY_DSA1024 = OpenSSL::PKey::DSA.new <<-_end_of_pem_ ------BEGIN DSA PRIVATE KEY----- -MIIBugIBAAKBgQCH9aAoXvWWThIjkA6D+nI1F9ksF9iDq594rkiGNOT9sPDOdB+n -D+qeeeeloRlj19ymCSADPI0ZLRgkchkAEnY2RnqnhHOjVf/roGgRbW+iQDMbQ9wa -/pvc6/fAbsu1goE1hBYjm98/sZEeXavj8tR56IXnjF1b6Nx0+sgeUKFKEQIVAMiz -4BJUFeTtddyM4uadBM7HKLPRAoGAZdLBSYNGiij7vAjesF5mGUKTIgPd+JKuBEDx -OaBclsgfdoyoF/TMOkIty+PVlYD+//Vl2xnoUEIRaMXHwHfm0r2xUX++oeRaSScg -YizJdUxe5jvBuBszGPRc/mGpb9YvP0sB+FL1KmuxYmdODfCe51zl8uM/CVhouJ3w -DjmRGscCgYAuFlfC7p+e8huCKydfcv/beftqjewiOPpQ3u5uI6KPCtCJPpDhs3+4 -IihH2cPsAlqwGF4tlibW1+/z/OZ1AZinPK3y7b2jSJASEaPeEltVzB92hcd1khk2 -jTYcmSsV4VddplOPK9czytR/GbbibxsrhhgZUbd8LPbvIgaiadJ1PgIUBnJ/5vN2 -CVArsEzlPUCbohPvZnE= ------END DSA PRIVATE KEY----- - _end_of_pem_ - -if defined?(OpenSSL::PKey::EC) - - TEST_KEY_EC_P256V1 = OpenSSL::PKey::EC.new <<-_end_of_pem_ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIID49FDqcf1O1eO8saTgG70UbXQw9Fqwseliit2aWhH1oAoGCCqGSM49 -AwEHoUQDQgAEFglk2c+oVUIKQ64eZG9bhLNPWB7lSZ/ArK41eGy5wAzU/0G51Xtt -CeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg== ------END EC PRIVATE KEY----- - _end_of_pem_ - -end + module Fixtures + module_function - TEST_KEY_DH1024 = OpenSSL::PKey::DH.new <<-_end_of_pem_ ------BEGIN DH PARAMETERS----- -MIGHAoGBAKnKQ8MNK6nYZzLrrcuTsLxuiJGXoOO5gT+tljOTbHBuiktdMTITzIY0 -pFxIvjG05D7HoBZQfrR0c92NGWPkAiCkhQKB8JCbPVzwNLDy6DZ0pmofDKrEsYHG -AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC ------END DH PARAMETERS----- - _end_of_pem_ + def pkey(name) + OpenSSL::PKey.read(read_file("pkey", name)) + end - TEST_KEY_DH1024.set_key(OpenSSL::BN.new("556AF1598AE69899867CEBA9F29CE4862B884C2B43C9019EA0231908F6EFA785E3C462A6ECB16DF676866E997FFB72B487DC7967C58C3CA38CE974473BF19B2AA5DCBF102735572EBA6F353F6F0BBE7FF1DE1B07FE1381A355C275C33405004317F9491B5955F191F6615A63B30E55A027FB88A1A4B25608E09EEE68A7DF32D", 16), - OpenSSL::BN.new("48561834C67E65FFD2A9B47F41E5E78FDC95C387428FDB1E4B0188B64D1643C3A8D3455B945B7E8C4D166010C7C2CE23BFB9BEF43D0348FE7FA5284B0225E7FE1537546D114E3D8A4411B9B9351AB451E1A358F50ED61B1F00DA29336EEBBD649980AC86D76AF8BBB065298C2052672EEF3EF13AB47A15275FC2836F3AC74CEA", 16)) + def pkey_dh(name) + # DH parameters can be read by OpenSSL::PKey.read atm + OpenSSL::PKey::DH.new(read_file("pkey", name)) + end - DSA_SIGNATURE_DIGEST = OpenSSL::OPENSSL_VERSION_NUMBER > 0x10000000 ? - OpenSSL::Digest::SHA1 : - OpenSSL::Digest::DSS1 + def read_file(category, name) + @file_cache ||= {} + @file_cache[[category, name]] ||= + File.read(File.join(__dir__, "fixtures", category, name + ".pem")) + end + end module_function def issue_cert(dn, key, serial, extensions, issuer, issuer_key, - not_before: nil, not_after: nil, digest: nil) + not_before: nil, not_after: nil, digest: "sha256") cert = OpenSSL::X509::Certificate.new issuer = cert unless issuer issuer_key = key unless issuer_key @@ -149,7 +76,6 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC extensions.each{|oid, value, critical| cert.add_extension(ef.create_extension(oid, value, critical)) } - digest ||= OpenSSL::PKey::DSA === issuer_key ? DSA_SIGNATURE_DIGEST.new : "sha256" cert.sign(issuer_key, digest) cert end @@ -201,6 +127,9 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC end class OpenSSL::TestCase < Test::Unit::TestCase + include OpenSSL::TestUtils + extend OpenSSL::TestUtils + def setup if ENV["OSSL_GC_STRESS"] == "1" GC.stress = true @@ -222,9 +151,9 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC def setup super - @ca_key = OpenSSL::TestUtils::TEST_KEY_RSA2048 - @svr_key = OpenSSL::TestUtils::TEST_KEY_RSA1024 - @cli_key = OpenSSL::TestUtils::TEST_KEY_DSA1024 + @ca_key = Fixtures.pkey("rsa2048") + @svr_key = Fixtures.pkey("rsa1024") + @cli_key = Fixtures.pkey("dsa1024") @ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA") @svr = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost") @cli = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost") @@ -241,14 +170,6 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC @server = nil end - def issue_cert(*arg) - OpenSSL::TestUtils.issue_cert(*arg) - end - - def issue_crl(*arg) - OpenSSL::TestUtils.issue_crl(*arg) - end - def readwrite_loop(ctx, ssl) while line = ssl.gets ssl.write(line) @@ -298,7 +219,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC ctx.cert_store = store ctx.cert = @svr_cert ctx.key = @svr_key - ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 } + ctx.tmp_dh_callback = proc { Fixtures.pkey_dh("dh1024") } begin ctx.ecdh_curves = "P-256" rescue NotImplementedError @@ -375,6 +296,4 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC end end end - -end if defined?(OpenSSL::OPENSSL_LIBRARY_VERSION) and - /\AOpenSSL +0\./ !~ OpenSSL::OPENSSL_LIBRARY_VERSION +end |