aboutsummaryrefslogtreecommitdiffstats
path: root/test
Commit message (Collapse)AuthorAgeFilesLines
* x509name: add 'loc' and 'set' kwargs to OpenSSL::X509::Name#add_entryky/x509name-add-entry-optionsKazuki Yamaguchi2017-07-251-0/+34
| | | | | | | | Add a way to specify these arguments for X509_NAME_add_entry_by_txt(). We currently always use -1 and 0 respectively, which will result in appending a new single-valued RDN to the end. Fixes: https://github.com/ruby/openssl/issues/94
* Merge branch 'maint'bpointKazuki Yamaguchi2017-06-144-3/+27
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint: Ruby/OpenSSL 2.0.4 History.md: add entries for 2.0.1-2.0.3 History.md: wrap at 80 characters extconf.rb: simplify searching libraries logic Search SSL libraries by testing various filename patterns openssl: fix broken openssl check openssl: fix broken openssl check x509store: clear error queue after calling X509_LOOKUP_load_file() tool/sync-with-trunk: 'LASY' -> 'LAST' Update .travis.yml and Dockerfile test/test_x509store: skip OpenSSL::TestX509Store#test_set_errors Fix documentation for OpenSSL::Cipher#final Fix typos ssl: check return value of SSL_set_fd() test/test_ssl: fix typo in test_sysread_and_syswrite Fix typos test/test_pkey_ec: do not use dummy 0 order
| * x509store: clear error queue after calling X509_LOOKUP_load_file()Kazuki Yamaguchi2017-06-141-0/+23
| | | | | | | | | | | | | | | | | | | | | | X509_LOOKUP_load_file(), which ends up calling X509_load_cert_crl_file() internally, may leave error entries in the queue even when it returns non-zero value (which indicates success). This will be fixed by OpenSSL 1.1.1, but can be worked around by clearing the error queue ourselves. Fixes: https://bugs.ruby-lang.org/issues/11033
| * Merge branch 'topic/test-ssl-fix-typo' into maintKazuki Yamaguchi2017-05-041-1/+1
| |\ | | | | | | | | | | | | * topic/test-ssl-fix-typo: test/test_ssl: fix typo in test_sysread_and_syswrite
| | * test/test_ssl: fix typo in test_sysread_and_syswritetopic/test-ssl-fix-typoKazuki Yamaguchi2017-03-231-1/+1
| | | | | | | | | | | | | | | The test case for second argument of OpenSSL::SSL::SSLSocket#sysread is not testing the behavior correctly because of a typo.
| * | test/test_x509store: skip OpenSSL::TestX509Store#test_set_errorsKazuki Yamaguchi2017-04-281-0/+1
| |/ | | | | | | | | | | | | X509_STORE_add_{cert,crl}() will no longer fail with 'cert already in hash table' if they are called twice, since the (unreleased) next version of OpenSSL. Don't test that if we are built with OpenSSL >= 1.1.0.
| * Fix typosSHIBATA Hiroshi2017-02-141-1/+1
| |
| * test/test_pkey_ec: do not use dummy 0 orderKazuki Yamaguchi2017-02-031-1/+1
| | | | | | | | | | | | | | Ubuntu trusty's OpenSSL package 1.0.1f-1ubuntu2.22 has backported an OpenSSL commit f54be179aa4c that makes EC_GROUP_set_generator() call BN_MONT_CTX_set() which can segfault if an invalid value (== 0) is given. Avoid it.
* | Add fips_mode_get to return fips_modeColton Jenkins2017-06-091-0/+9
| |
* | Merge branch 'topic/kdf-module'Kazuki Yamaguchi2017-03-232-98/+139
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | scrypt support is added. * topic/kdf-module: kdf: add scrypt ossl.h: add NUM2UINT64T() macro kdf: introduce OpenSSL::KDF module
| * | kdf: add scrypttopic/kdf-moduleKazuki Yamaguchi2017-03-231-0/+36
| | | | | | | | | | | | | | | Add OpenSSL::KDF.scrypt as a wrapper around EVP_PBE_scrypt(). This is added by OpenSSL 1.1.0.
| * | kdf: introduce OpenSSL::KDF moduleKazuki Yamaguchi2017-03-231-10/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | Introduce a new OpenSSL::KDF module as a namespace for to-be-added KDFs. This makes it easier to add new KDFs in future. We already have a stand-alone KDF, OpenSSL::PKCS5.pbkdf2_hmac. This is migrated to the new namespace. The backwards compatibility is retained by the method defined in the newly added lib/openssl/pkcs5.rb.
* | | Merge branch 'maint'Kazuki Yamaguchi2017-01-312-0/+15
|\ \ \ | |/ / |/| / | |/ | | | | | | | | | | | | * maint: Ruby/OpenSSL 2.0.3 .travis.yml: test with Ruby 2.4 ruby-openssl-docker: update versions of Ruby and OpenSSL x509: fix OpenSSL::X509::Name#eql? test/envutil: fix assert_raise_with_message buffering: fix typo in doc
| * x509: fix OpenSSL::X509::Name#eql?Kazuki Yamaguchi2017-01-281-0/+10
| | | | | | | | | | | | | | | | Commit 34e7fe34ee32 ("Use rb_obj_class() instead of CLASS_OF()", 2016-09-08) incorrectly inverted the result. Fix it, and add a test case for this. Fixes: 34e7fe34ee32 ("Use rb_obj_class() instead of CLASS_OF()")
| * test/envutil: fix assert_raise_with_messageKazuki Yamaguchi2017-01-241-0/+5
| | | | | | | | Import mu_pp method from Ruby trunk.
* | Merge branch 'topic/ssl-certificate-verify-error-desc'Kazuki Yamaguchi2017-01-261-0/+24
|\ \ | | | | | | | | | | | | | | | * topic/ssl-certificate-verify-error-desc: ssl: show reason of 'certificate verify error' in exception message Make exceptions with the same format regardless of OpenSSL.debug
| * | ssl: show reason of 'certificate verify error' in exception messagetopic/ssl-certificate-verify-error-descKazuki Yamaguchi2017-01-241-0/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The 'certificate verify error' is one of the most common errors that can be raised by OpenSSL::SSL::SSLSocket#connect. The certificate verification may fail due to many different issues such as misconfigured trusted certificate store or inaccurate system clock. Unfortunately, since the detail is not put to the queue and is only accessible through OpenSSL::SSL::SSLSocket#verify_result, it is sometimes hard to figure out the real reason. Let's include a human readable reason message in the exception message. Like this: require "socket" require "openssl" ctx = OpenSSL::SSL::SSLContext.new ctx.set_params(cert_store: OpenSSL::X509::Store.new) ssl = OpenSSL::SSL::SSLSocket.new(Socket.tcp("www.ruby-lang.org", 443), ctx) ssl.connect #=> -:7:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError) from -:7:in `<main>'
* | | Merge branch 'topic/ssl-move-default-dh-params'Kazuki Yamaguchi2017-01-261-16/+0
|\ \ \ | | | | | | | | | | | | | | | | * topic/ssl-move-default-dh-params: ssl: move default DH parameters from OpenSSL::PKey::DH
| * | | ssl: move default DH parameters from OpenSSL::PKey::DHtopic/ssl-move-default-dh-paramsKazuki Yamaguchi2017-01-241-16/+0
| |/ / | | | | | | | | | They should belong to OpenSSL::SSL rather than OpenSSL::PKey::DH.
* | | Merge branch 'topic/test-memory-leak'Kazuki Yamaguchi2017-01-1723-295/+282
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * topic/test-memory-leak: Enable OSSL_MDEBUG on CI builds Add OpenSSL.print_mem_leaks test: prepare test PKey instances on demand test: let OpenSSL::TestCase include OpenSSL::TestUtils Don't define main() when built with --enable-debug
| * | | Add OpenSSL.print_mem_leaksKazuki Yamaguchi2017-01-171-0/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a wrapper method for CRYPTO_mem_leaks_fp(stderr). Calling the method at the end of programs helps debugging memory leak bugs in Ruby/OpenSSL. This is defined only when --enable-debug option is given when building Ruby/OpenSSL, and the OpenSSL version is capable. The test suite recognizes 'OSSL_MDEBUG' environment variable. Set to '1' to enable the memory leak checker. This would prevent creating another memory leak problem at least on the success paths. Note that this may print some false-positives with OpenSSL <= 1.0.2. It was once introduced by f0754f0b2f33 ("test: add test/mdebug extension", 2016-08-06) as a separate native extension, but reverted by 4c1ca7669180 ("Remove test/mdebug", 2016-08-26) because it didn't work on Windows. Let's re-introduce as part of openssl.so.
| * | | test: prepare test PKey instances on demandKazuki Yamaguchi2017-01-1723-261/+259
| | | | | | | | | | | | | | | | | | | | | | | | Preparing for the introduction of the memory leak checker. Do not leave OpenSSL objects in constants that wouldn't be GCed in order to avoid false positives.
| * | | test: let OpenSSL::TestCase include OpenSSL::TestUtilsKazuki Yamaguchi2017-01-166-34/+3
| | | | | | | | | | | | | | | | | | | | OpenSSL::TestPKCS12 is already doing this - let's apply to all test files. This allows removing redundant 'issue_cert' declarations.
* | | | Merge branch 'maint'Kazuki Yamaguchi2017-01-171-0/+7
|\ \ \ \ | | |_|/ | |/| | | | | | | | | | | | | | | | | | * maint: appveyor.yml: update OpenSSL version to 1.0.2j Fix build with static OpenSSL libraries on Windows Fix for ASN1::Constructive 'each' implementation
| * | | Fix for ASN1::Constructive 'each' implementationCorey Bonnell2016-12-291-0/+7
| | |/ | |/|
* | | Merge branch 'topic/bn-updates'Kazuki Yamaguchi2016-12-261-51/+266
|\ \ \ | |_|/ |/| | | | | | | | | | | | | | | | | | | | | | | Tests for OpenSSL::BN are re-written. OpenSSL::BN now implements unary+ operator, unary- operator and negative? method. * topic/bn-updates: bn: implement OpenSSL::BN#negative? bn: implement unary {plus,minus} operators for OpenSSL::BN bn: refine tests
| * | bn: implement OpenSSL::BN#negative?topic/bn-updatesKazuki Yamaguchi2016-12-231-0/+6
| | | | | | | | | | | | | | | Numeric class implemented #negative? and #positive? in Ruby 2.3. Let's follow that.
| * | bn: implement unary {plus,minus} operators for OpenSSL::BNKazuki Yamaguchi2016-12-231-0/+7
| | | | | | | | | | | | | | | For consistency with Numeric. Not sure why they aren't currently; maybe they were simply forgotten.
| * | bn: refine testsKazuki Yamaguchi2016-12-231-51/+253
| |/ | | | | | | | | | | | | Many methods in OpenSSL::BN are currently untested. Since OpenSSL::BN is mostly simple wrapper of BIGNUM, it would be unnecessary to have detailed test cases, but we should have a basic test case so that we don't mix up BIGNUM functions in the binding layer.
* / Remove support for OpenSSL 0.9.8 and 1.0.0topic/drop-openssl-098-and-100Kazuki Yamaguchi2016-12-2230-218/+66
|/ | | | | | | | | | They are no longer receiving security updates from the OpenSSL development team since 2015-12. We have kept basic compatibility until now because RHEL 5 still uses an (heavily modified) OpenSSL 0.9.8e. The RHEL 5 will reach EOL on 2017-03, thus it is now safe to assume nobody is still using such old versions of OpenSSL.
* Merge pull request #88 from yogo1212/generalizedtime_formatKazuki Yamaguchi2016-12-101-0/+8
|\ | | | | asn1: handle GENERALIZEDTIME without seconds
| * asn1: handle GENERALIZEDTIME without secondsLeon M. George2016-12-091-0/+8
| |
* | test: run test cases under GC.stress if OSSL_GC_STRESS is specifiedtopic/under-gc-stressKazuki Yamaguchi2016-12-051-0/+9
| | | | | | | | | | This would have caught some of GC issues like one reported at [ruby/openssl#87].
* | test/test_pair: make TestPairM#test_write_nonblock_retry fasterKazuki Yamaguchi2016-12-051-1/+1
| | | | | | | | | | | | | | Write 4099-bytes blocks instead of 11-bytes blocks to run it faster. The buffer may be as large as megabytes and it takes too much time to fill up, especially under GC.stress. I didn't measured but it didn't finish in an hour.
* | test: call super from each test case's 'setup' methodKazuki Yamaguchi2016-12-0514-0/+14
| | | | | | | | | | | | Just like we already do for 'teardown' method, though we don't have OpenSSL::TestCase#setup yet. This will be useful when we want to inject GC.stress = true.
* | test/test_cipher: fix test with OpenSSL 1.0.1 before 1.0.1dKazuki Yamaguchi2016-12-011-8/+8
|/ | | | | | | | | Set the authentication tag before the AAD when decrypting. Before OpenSSL commit 96f7fafa2431 ("Don't require tag before ciphertext in AESGCM mode", 2012-10-16, at OpenSSL_1_0_1-stable branch, included in OpenSSL 1.0.1d), the authentication tag must be set before any calls of EVP_CipherUpdate().
* Merge changes from Ruby trunk r56492..r56927Kazuki Yamaguchi2016-11-302-5/+5
|\ | | | | | | | | | | | | | | * ruby-trunk r56492..r56927: (2 commits) (r56927) parse.y: ambiguous parentheses (r56578) openssl/ut_eof.rb: rename TestEOF Sync-with-trunk: r56927
| * openssl/ut_eof.rb: rename TestEOFnobu2016-11-302-5/+5
| | | | | | | | | | | | | | * test/openssl/ut_eof.rb (OpenSSL::TestEOF): move TestEOF module under OpenSSL to get rid of conflict with test/ruby/ut_eof.rb. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56578 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* | test: fix fragile test casesKazuki Yamaguchi2016-11-309-128/+66
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix the fragile test cases that are sensitive to the difference between Time.now.to_i and time(2). When issuing test certificates, we are typically setting the current time fetched by Time.now to the notBefore field. Time.now uses clock_gettime(2) with CLOCK_REALTIME. On the other hand, OpenSSL uses time(2) in its certificate verification code. On Linux/x86-64, time(2) is implemented not to return the adjusted 'current time' like Time.now, but to return the wall clock seconds at the last tick. This results in that time(2) called later may return an earlier time, causing the certificate verification to fail with 'certificate is not yet valid' error. So, create test certificates with notBefore<Time.now to avoid this. Since it's awful to do "Time.now - 1" everywhere, make the notBefore and notAfter fields optional with defaults with margin.
* | ssl: make OpenSSL::SSL::SSLContext#freeze an alias of #setuptopic/ssl-make-sslctx-freeze-alias-of-setupKazuki Yamaguchi2016-11-291-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | SSLSocket#setup uses the frozen state as "SSL_CTX is already set up". If an user manually freeze the context, it misunderstands as if #setup is already called, leading to unexpected behaviors because parameters the user set won't be actually set to the underlying SSL_CTX and thus ignored. Ideally, #setup should go and be replaced with setters. But we don't do this now because it is not that simple: some of them would produce new ordering issues, e.g. 'ca_file' property which loads a file into SSL_CTX::cert_store and 'cert_store' which replaces SSL_CTX::cert_store would conflict. Fixing this properly would require deprecating 'ca_file' first. So, let's take the second best way: make it "just work" instead of break silently. Fixes: https://github.com/ruby/openssl/issues/85
* | engine: undef alloc functionKazuki Yamaguchi2016-11-161-7/+0
| | | | | | | | | | | | This prevents users from allocating OpenSSL::Engine instance using OpenSSL::Engine.allocate. Undef'ing alloc function also allows us to remove explicit undef of OpenSSL::Engine.new and #initialize_copy.
* | Merge branch 'topic/asn1-fix-oob-read-constructed'Kazuki Yamaguchi2016-11-071-0/+23
|\ \ | |/ |/| | | | | * topic/asn1-fix-oob-read-constructed: asn1: fix out-of-bounds read in decoding constructed objects
| * asn1: fix out-of-bounds read in decoding constructed objectstopic/asn1-fix-oob-read-constructedKazuki Yamaguchi2016-09-281-0/+23
| | | | | | | | | | | | | | | | | | | | OpenSSL::ASN1.{decode,decode_all,traverse} have a bug of out-of-bounds read. int_ossl_asn1_decode0_cons() does not give the correct available length to ossl_asn1_decode() when decoding the inner components of a constructed object. This can cause out-of-bounds read if a crafted input given. Reference: https://hackerone.com/reports/170316
* | test/test_pair: revert workaround added by r42790Kazuki Yamaguchi2016-10-241-12/+6
| | | | | | | | | | | | | | It was added as a workaround for "bad write retry" error that occurs when SSLSocket#write_nonblock is retried with a different String. This is now fixed by r54466 ("openssl: accept moving write buffer for write_nonblock", 2016-03-31).
* | Merge branch 'topic/test-static-test-vector'Kazuki Yamaguchi2016-10-174-56/+56
|\ \ | | | | | | | | | | | | * topic/test-static-test-vector: test/test_pkey_*: refine sign/verify tests
| * | test/test_pkey_*: refine sign/verify teststopic/test-static-test-vectorKazuki Yamaguchi2016-10-164-56/+56
| | | | | | | | | | | | | | | | | | | | | | | | 20a88ace0778 ("test: refactor PKey::PKey#{sign,verify} tests", 2016-07-07) was not a good idea in the sense of readability. So, let's revert it. Also, static test vectors generated by BouncyCastle are added to ensure #verify correctly accept valid signatures and reject invalid signatures.
* | | Merge branch 'topic/test-static-test-vector'Kazuki Yamaguchi2016-10-092-263/+218
|\| | | | | | | | | | | | | | | | | * topic/test-static-test-vector: test/test_hmac: use static test vectors test/test_cipher: use static test vectors
| * | test/test_hmac: use static test vectorsKazuki Yamaguchi2016-10-091-25/+19
| | | | | | | | | | | | | | | Ensure that OpenSSL::HMAC works as expected by comparing the result with known correct test vectors.
| * | test/test_cipher: use static test vectorsKazuki Yamaguchi2016-10-091-238/+199
| | | | | | | | | | | | | | | | | | | | | | | | | | | Compare the result with static test vectors rather than just testing that the encryption result can be decrypted. The current test cases wouldn't catch failure if both the encryption and decryption routines are broken. Test vectors are taken from external sources as noted in the comments.
* | | Merge branch 'topic/pkey-ec-conversion-form'Kazuki Yamaguchi2016-10-091-0/+4
|\ \ \ | |/ / |/| | | | | | | | * topic/pkey-ec-conversion-form: pkey: allow specifying conversion form in EC::Point#to_bn
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-02 03:06:16 +0000