aboutsummaryrefslogtreecommitdiffstats
path: root/test
Commit message (Collapse)AuthorAgeFilesLines
...
* ssl: update test_options_disable_versionsKazuki Yamaguchi2021-12-201-35/+40
| | | | | Use the combination of TLS 1.2 and TLS 1.3 instead of TLS 1.1 and TLS 1.2 so that will the test case will be run on latest platforms.
* ssl: update test_accept_errors_include_peeraddr test caseKazuki Yamaguchi2021-12-201-6/+4
| | | | | Use a different invalid data example to prevent SSLSocket#accept from reaching EOF.
* hmac: skip test_dup on OpenSSL 3.0 for nowKazuki Yamaguchi2021-12-201-0/+1
| | | | | | EVP_MD_CTX_copy() doesn't seem to work as intended on HMAC EVP_MD_CTX on OpenSSL 3.0.0 and causes a double free. I haven't found the root problem yet, but let's skip the test case for now.
* cipher: update test_ciphersKazuki Yamaguchi2021-12-201-8/+5
| | | | | Do not attempt to actually use all algorithms. Not all algorithms listed in OpenSSL::Cipher.ciphers are always available.
* Merge pull request #480 from rhenium/ky/pkey-deprecate-modifyKazuki Yamaguchi2021-12-204-84/+144
|\ | | | | pkey: deprecate PKey::*#set_* and PKey::{DH,EC}#generate_key!
| * pkey: deprecate PKey#set_* methodsky/pkey-deprecate-modifyKazuki Yamaguchi2021-12-204-68/+121
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL 3.0 made EVP_PKEY immutable. This means we can only have a const pointer of the low level struct and the following methods can no longer be provided when linked against OpenSSL 3.0: - OpenSSL::PKey::RSA#set_key - OpenSSL::PKey::RSA#set_factors - OpenSSL::PKey::RSA#set_crt_params - OpenSSL::PKey::DSA#set_pqg - OpenSSL::PKey::DSA#set_key - OpenSSL::PKey::DH#set_pqg - OpenSSL::PKey::DH#set_key - OpenSSL::PKey::EC#group= - OpenSSL::PKey::EC#private_key= - OpenSSL::PKey::EC#public_key= There is no direct replacement for this functionality at the moment. I plan to introduce a wrapper around EVP_PKEY_fromdata(), which takes all key components at once to construct an EVP_PKEY.
| * pkey/ec: deprecate OpenSSL::PKey::EC#generate_key!Kazuki Yamaguchi2021-12-201-8/+13
| | | | | | | | | | | | OpenSSL::PKey::EC#generate_key! will not work on OpenSSL 3.0 because keys are made immutable. Users should use OpenSSL::PKey.generate_key instead.
| * pkey/dh: deprecate OpenSSL::PKey::DH#generate_key!Kazuki Yamaguchi2021-12-201-8/+10
| | | | | | | | | | | | OpenSSL::PKey::DH#generate_key! will not work on OpenSSL 3.0 because keys are made immutable. Users should use OpenSSL::PKey.generate_key instead.
* | pkey: test parsing concatenated PEM stringKazuki Yamaguchi2021-12-121-0/+6
|/ | | | | | | | | | | PEM-encoded private keys are sometimes stored together with irrelevant PEM blocks, such as the corresponding X.509 certificate. PEM_read_bio_*() family automatically skips unknown PEM blocks, but on OpenSSL 3.0 we will be using the new OSSL_DECODER API instead due to some breaking changes around the password callback. Let's add a test case so that we won't break the current behavior.
* Fix typos [ci skip]Nobuyoshi Nakada2021-11-031-1/+1
|
* Merge pull request #469 from rhenium/ky/ssl-unstarted-ioKazuki Yamaguchi2021-11-011-51/+12
|\ | | | | ssl: disallow reading/writing to unstarted SSL socket
| * ssl: disallow reading/writing to unstarted SSL socketky/ssl-unstarted-ioKazuki Yamaguchi2021-10-251-51/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL::SSL::SSLSocket allowed #read and #write to be called before an SSL/TLS handshake is completed. They passed unencrypted data to the underlying socket. This behavior is very odd to have in this library. A verbose mode warning "SSL session is not started yet" was emitted whenever this happened. It also didn't behave well with OpenSSL::Buffering. Let's just get rid of it. Fixes: https://github.com/ruby/openssl/issues/9
* | bn: make BN.pseudo_rand{,_range} an alias of BN.rand{,_range}Kazuki Yamaguchi2021-10-241-0/+4
|/ | | | | | BN_pseudo_rand() and BN_pseudo_rand_range() are deprecated in OpenSSL 3.0. Since they are identical to their non-'pseudo' version anyway, let's make them alias.
* test/openssl/test_ssl: use assert_raise in test_bad_socketKazuki Yamaguchi2021-10-231-1/+1
| | | | The Ruby tree disallows assert_raises.
* Merge pull request #467 from ruby/reject-bad-paramsKazuki Yamaguchi2021-10-231-0/+11
|\ | | | | Raise an exception if the IO object passed to SSLSocket isn't a file
| * Raise an exception if the IO object passed to SSLSocket isn't a fileAaron Patterson2021-10-221-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | SSLSocket#connect eventually calls `GetOpenFile` in order to get the underlying file descriptor for the IO object passed in on initialization. `GetOpenFile` assumes that the Ruby object passed in is a T_FILE object and just casts it to a T_FILE without any checks. If you pass an object that *isn't* a T_FILE to that function, the program will segv. Since we assume the IO object is a file in the `connect` method, this commit adds a `CheckType` in the initialize method to ensure that the IO object is actually a T_FILE. If the object *isn't* a T_FILE, this class will segv on `connect`, so I think this is a backwards compatible change.
* | test/openssl/test_pkey_rsa: disable test_no_private_exp on OpenSSL 3.0ky/ssl-test-assume-ec-supportKazuki Yamaguchi2021-10-221-1/+1
| | | | | | | | | | OpenSSL::PKey::RSA#set_key does not exist when built with OpenSSL 3.0, so it is not possible to create an RSA object with incomplete state.
* | test/openssl/test_pkey: use EC keys for PKey.generate_parameters testsKazuki Yamaguchi2021-10-221-16/+11
| | | | | | | | | | | | OpenSSL 3.0 refuses to generate DSA parameters shorter than 2048 bits, but generating 2048 bits parameters takes very long time. Let's use EC in these test cases instead.
* | test/openssl/test_ssl: fix illegal SAN extensionKazuki Yamaguchi2021-10-221-2/+1
| | | | | | | | | | | | A certificate can only have one SubjectAltName extension. OpenSSL 3.0 performs a stricter validation and certificates containing multiple SANs will be rejected.
* | test/openssl/test_pkcs12: fix test failures with OpenSSL 3.0Kazuki Yamaguchi2021-10-221-148/+149
| | | | | | | | | | | | | | | | | | OpenSSL's PKCS12_create() by default uses pbewithSHAAnd40BitRC2-CBC for encryption of the certificates. However, in OpenSSL 3.0, the algorithm is part of the legacy provider and is not enabled by default. Specify another algorithm that is still in the default provider for these test cases.
* | test/openssl/test_ssl: relax regex to match OpenSSL's error messageKazuki Yamaguchi2021-10-221-1/+3
| | | | | | | | | | | | OpenSSL 3.0 slightly changed the error message for a certificate verification failure when an untrusted self-signed certificate is found in the chain.
* | test/openssl/test_digest: do not test constants for legacy algorithmsKazuki Yamaguchi2021-10-221-1/+1
| | | | | | | | | | | | Remove availability test for MD4 and RIPEMD160 as they are considered legacy and may be missing depending on the compile-time options of OpenSSL. OpenSSL 3.0 by default disables them.
* | test/openssl/test_ssl: assume ECC supportKazuki Yamaguchi2021-10-224-24/+14
| | | | | | | | | | | | | | | | Disabling ECC support of OpenSSL is impractical nowadays. We still try to have the C extension compile on no-ec builds (as well as no-dh or no-engine, etc.) as long as we can, but keeping test cases for such an extreme scenario is not worth the effort.
* | test/openssl/test_ssl: assume TLS 1.2 supportKazuki Yamaguchi2021-10-193-55/+26
| | | | | | | | | | Current versions of OpenSSL and LibreSSL all support TLS 1.2, so there is no need for checking the availability.
* | test/openssl/utils: remove dup_public helper methodKazuki Yamaguchi2021-10-195-51/+44
|/ | | | | | It uses deprecated PKey::{RSA,DSA,DH}#set_* methods, which will not work with OpenSSL 3.0. The same can easily be achieved using PKey#public_to_der regardless of the key kind.
* require Ruby 2.6 or laterky/require-ruby-2.6Kazuki Yamaguchi2021-10-161-9/+3
| | | | | | | | Drop support for Ruby 2.3, 2.4, and 2.5. As of 2021-10, Ruby 2.6 is the oldest version that still receives security fixes from the Ruby core team, so it doesn't make much sense to keep code for those ancient versions.
* Use Test::Unit::PendedError instead of MiniTest::Skip for test-unit migrationHiroshi SHIBATA2021-10-161-2/+1
| | | | (cherry picked from commit ruby/ruby@ecfbf1df33a1e90008baa131369c80cfa6282692)
* Merge branch 'maint-2.2'Kazuki Yamaguchi2021-10-163-8/+27
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-2.2: (43 commits) Ruby/OpenSSL 2.2.1 openssl is ractor-safe Fixed the results of OpenSSL::Timestamp::Response#failure_info Don't redefine #rb_intern over and over again Use rb_intern_const instead of rb_intern in Init functions Remove trailing spaces [ci skip] test/openssl/test_ssl: use TLS 1.2 for finished_messages on LibreSSL Ruby/OpenSSL 2.1.3 ssl: avoid directly storing String object in NPN callback x509store: explicitly call rb_gc_mark() against Store/StoreContext ssl: explicitly call rb_gc_mark() against SSLContext/SSLSocket objects digest: load digest library using Kernel#require pkey: use RSTRING_LENINT() instead of casting to int fix segv in Timestamp::{Request,Response,TokenInfo}.new ts: libressl build fix warning ext/openssl/extconf.rb: require OpenSSL version >= 1.0.1, < 3 .github/workflows: update OpenSSL/LibreSSL versions test: adjust test cases for LibreSSL 3.2.4 ssl: temporary lock string buffer while reading ssl: create a temporary frozen string buffer when writing ...
| * Fixed the results of OpenSSL::Timestamp::Response#failure_infoNobuyoshi Nakada2021-10-161-0/+5
| | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.2 branch. ] Made stored values `Symbol`s instead of `ID`s. Fixes https://bugs.ruby-lang.org/issues/17625 Co-Authored-By: xtkoba (Tee KOBAYASHI) <xtkoba+ruby@gmail.com> (cherry picked from commit f2d004679a62408a89d7304b229c24e789b94776)
| * test/openssl/test_ssl: use TLS 1.2 for finished_messages on LibreSSLKazuki Yamaguchi2021-10-161-0/+1
| | | | | | | | | | LibreSSL 2.2.x has a bug in the Finished message handling with TLS 1.3. This is fixed by LibreSSL 3.3.2.
| * Merge branch 'maint-2.1' into maint-2.2Kazuki Yamaguchi2021-10-163-11/+45
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-2.1: Ruby/OpenSSL 2.1.3 ssl: avoid directly storing String object in NPN callback x509store: explicitly call rb_gc_mark() against Store/StoreContext ssl: explicitly call rb_gc_mark() against SSLContext/SSLSocket objects digest: load digest library using Kernel#require pkey: use RSTRING_LENINT() instead of casting to int ext/openssl/extconf.rb: require OpenSSL version >= 1.0.1, < 3 .github/workflows: update OpenSSL/LibreSSL versions test: adjust test cases for LibreSSL 3.2.4 ssl: temporary lock string buffer while reading ssl: create a temporary frozen string buffer when writing Use rb_block_call() instead of the deprecated rb_iterate() in OpenSSL
| | * test: adjust test cases for LibreSSL 3.2.4Kazuki Yamaguchi2021-09-273-11/+45
| | | | | | | | | | | | | | | | | | | | | This is a backport to the 2.1 branch of the following commits: - a0e98d48c91f ("Enhance TLS 1.3 support on LibreSSL 3.2/3.3", 2020-12-03) - a9954bac22ba ("test: adjust test cases for LibreSSL 3.2.4", 2021-02-25)
| * | fix segv in Timestamp::{Request,Response,TokenInfo}.newNobuhiro IMAI2021-09-271-0/+18
| | | | | | | | | | | | prevent `ossl_ts_*_free()` from calling when `d2i_TS_*_bio()` failed.
| * | Merge branch 'maint-2.1' into maint-2.2Kazuki Yamaguchi2021-09-271-8/+8
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint-2.1: (22 commits) test/openssl/test_ssl: skip test_fallback_scsv if necessary test/openssl/test_ssl.rb: ignore SSLError when the connection is closed Fixed misspellings ext/openssl/extconf.rb: do not use -Werror=deprecated-declarations Guard static variable first ext/openssl/ossl_ssl.c: Use const declaration if LibreSSL >= 2.8.0 drop-in type check for rb_define_module_function rb_iterate now takes rb_block_call_func_t Add a /* fall through */ comment test/openssl/utils.rb: Extend the timeout test/test_ssl.rb: Use TLS1.2 test/test_ssl.rb: Use larger keys test: use larger keys for SSL tests test/test_pair: fix deadlock in test_connect_accept_nonblock Ignore warnings about ambiguous first argument with the negative integer. ext/openssl/ossl_bn.c (ossl_bn_initialize): get rid of SEGV errno.h must be included after config.h because config.h might define _REENTRANT, _THREAD_SAFE, etc., which affect how errno is defined on some architectures Fix call-seq of OpenSSL.fips_mode and WIN32OLE_METHOD#name [ci skip] Remove -Wno-parentheses flag. Correctly verify abbreviated IPv6 SANs ...
| | * test/openssl/test_ssl: skip test_fallback_scsv if necessaryKazuki Yamaguchi2021-09-261-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] Run the test case only when the OpenSSL supports both TLS 1.1 and TLS 1.2. Note that the fallback SCSV mechanism is for TLS 1.2 or older and not for 1.3. Fixes: https://github.com/ruby/openssl/issues/336 (cherry picked from commit 6f2e6d7cf777b378b3b51c239abecb4e4af49824)
| | * test/openssl/test_ssl.rb: ignore SSLError when the connection is closedYusuke Endoh2021-09-261-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] "test_close_after_socket_close" checks if ssl.close is no-op even after the wrapped socket is closed. The test itself is fair, but the other endpoint that is reading the SSL connection may fail with SSLError: "SSL_read: unexpected eof while reading" in some environments: https://github.com/ruby/ruby/actions/runs/60085389 (MinGW) https://rubyci.org/logs/rubyci.s3.amazonaws.com/android28-x86_64/ruby-master/log/20200321T034442Z.fail.html.gz ``` 1) Failure: OpenSSL::TestSSL#test_close_after_socket_close [D:/a/ruby/ruby/src/test/openssl/utils.rb:299]: exceptions on 1 threads: SSL_read: unexpected eof while reading ``` This changeset rescues and ignores the SSLError in the test. (cherry picked from commit 96a481b5728c12d6b5f4d99040ad2c77443c94a2)
| | * Fixed misspellingsNobuyoshi Nakada2021-09-261-8/+8
| | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] Fixed misspellings reported at [Bug #16437], for default gems. (cherry picked from commit ruby/ruby@e68999c82c4863d33a6f893661fba1b7538c5671)
| | * test/openssl/utils.rb: Extend the timeoutYusuke Endoh2021-09-261-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] https://rubyci.org/logs/rubyci.s3.amazonaws.com/scw-9d6766/ruby-master/log/20190606T171708Z.fail.html.gz https://rubyci.org/logs/rubyci.s3.amazonaws.com/scw-9d6766/ruby-master/log/20190607T051708Z.fail.html.gz (cherry picked from commit ruby/ruby@7e403dc6c84356e83c02538e76cc70ac789921ac and commit ruby/ruby@75751dca2b9f573db923cecd9767e9174fb69a98)
| | * test/test_ssl.rb: Use TLS1.2Yusuke Endoh2021-09-261-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] The test fails when using OpenSSL 1.1 that supports TLS1.3. To make it pass, this change restricts max_version to TLS1.2. We may need more work for TLS1.3. (cherry picked from commit 133487fbccaae399c7ac7f97f92412db4ee8d305)
| | * test/test_ssl.rb: Use larger keysYusuke Endoh2021-09-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] OpenSSL 1.1.1 seems to require at least 2048 bits for CA's private keys. (cherry picked from commit 37b9e49db3087dad20019f6fd7c80c3b4b013d9d)
| | * test: use larger keys for SSL testsKazuki Yamaguchi2021-09-268-21/+186
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] Some systems enforce a system-wide policy to restrict key sizes used in SSL/TLS. Use larger ones if possible so that the test suite runs successfully. New PEM files test/fixtures/pkey/{dh-1,rsa-1,rsa-2,rsa-3}.pem are added to the tree, and SSL tests now use them instead of the fixed-size keys. Reference: https://github.com/ruby/openssl/issues/215 (cherry picked from commit 5ba99ad7ae1267ed964f53906530579299f3fcc6)
| | * test/test_pair: fix deadlock in test_connect_accept_nonblockKazuki Yamaguchi2021-09-261-29/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] Call IO.select with a timeout value and limit the number of retries to prevent stacking forever. Reference: https://github.com/ruby/openssl/issues/214 (cherry picked from commit b0bcb19cb4f95d260c5993df0aaa3667522fb99d)
| | * Ignore warnings about ambiguous first argument with the negative integer.Hiroshi SHIBATA2021-09-261-6/+6
| | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] (cherry picked from commit ruby/ruby@3c77ef9adc567af58e27c62db35d618f3b3069d2)
| | * Correctly verify abbreviated IPv6 SANsBrian Cunnie2021-09-261-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ This is a backport to the 2.1 branch. ] IPv6 SAN-verification accommodates ["zero-compression"](https://tools.ietf.org/html/rfc5952#section-2.2). It also accommodates non-compressed addresses. Previously the verification of IPv6 addresses would fail unless the address syntax matched a specific format (no zero-compression, no leading zeroes). As an example, the IPv6 loopback address, if represented as `::1`, would not verify. Nor would it verify if represented as `0000:0000:0000:0000:0000:0000:0000:0001`; however, both representations are valid, RFC-compliant representations. The library would only accept a very specific representation (i.e. `0:0:0:0:0:0:0:1`). This commit addresses that shortcoming, and ensures that any valid IPv6 representation will correctly verify. (cherry picked from commit 9322a104d16b02c7a79f9ab589859c9d63fabf52)
| | * Skip one assertion for OpenSSL::PKey::EC::Point#mul on LibreSSLJeremy Evans2020-08-121-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | [ Original commit is 4e9801dff855 in 2.2.0. This is a backport to the 2.1 branch. ] LibreSSL 2.8.0+ does not support multiple elements in the first argument.
* | | ssl: add SSLContext#tmp_dh=ky/ssl-set-tmp-dhKazuki Yamaguchi2021-09-261-7/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Provide a wrapper of SSL_set0_tmp_dh_pkey()/SSL_CTX_set_tmp_dh(), which sets the DH parameters used for ephemeral DH key exchange. SSLContext#tmp_dh_callback= already exists for this purpose, as a wrapper around SSL_CTX_set_tmp_dh_callback(), but it is considered obsolete and the OpenSSL API is deprecated for future removal. There is no practical use case where an application needs to use different DH parameters nowadays. This was originally introduced to support export grade ciphers. RDoc for #tmp_dh_callback= is updated to recommend the new #tmp_dh=. Note that current versions of OpenSSL support automatic ECDHE curve selection which is enabled by default. SSLContext#tmp_dh= should only be necessary if you must allow ancient clients which don't support ECDHE.
* | | test/openssl/test_x509cert.rb: Prevent "unused variable" warningYusuke Endoh2021-07-191-1/+1
| | | | | | | | | | | | (cherry picked from commit ruby/ruby@ab2bd3ff35176031965613abfeb06a9c47e9eee1)
* | | Defer to require prime for OpenSSL::TestBNHiroshi SHIBATA2021-07-181-18/+23
| | | | | | | | | | | | (cherry picked from commit ruby/ruby@b8dcad8d32a5405cbbf29f6705c8975f1773170a)
* | | test/openssl/envutil: remove assert_raise_with_messageky/use-bundlerKazuki Yamaguchi2021-06-251-52/+0
| | | | | | | | | | | | | | | test-unit 3.4.3 added "assert_raise_with_message" to the default assertion methods set.
* | | Include peer socket IP address in errorsVinicius Stock2021-06-141-0/+27
| | |
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-23 04:01:03 +0000