From 33a67ac96492828c1ea9d88e011da417d4ce7170 Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Fri, 15 Dec 2017 16:56:56 +0900
Subject: test/utils: disable Thread's report_on_exception in start_server

Those threads can purposefully raise exceptions when they call 'pend'.
The report_on_exception feature can be safely disabled in this case
since we use assert_join_threads that captures all exceptions raised.

This is necessary to suppress warnings on Ruby 2.5, which enables the
report_on_exception feature by default.
---
 test/utils.rb | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'test')

diff --git a/test/utils.rb b/test/utils.rb
index 4331d8bd..b7ddd891 100644
--- a/test/utils.rb
+++ b/test/utils.rb
@@ -216,6 +216,10 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase
       threads = []
       begin
         server_thread = Thread.new do
+          if Thread.method_defined?(:report_on_exception=) # Ruby >= 2.4
+            Thread.current.report_on_exception = false
+          end
+
           begin
             loop do
               begin
@@ -229,6 +233,10 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase
               end
 
               th = Thread.new do
+                if Thread.method_defined?(:report_on_exception=)
+                  Thread.current.report_on_exception = false
+                end
+
                 begin
                   server_proc.call(ctx, ssl)
                 ensure
@@ -244,6 +252,10 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase
         end
 
         client_thread = Thread.new do
+          if Thread.method_defined?(:report_on_exception=)
+            Thread.current.report_on_exception = false
+          end
+
           begin
             block.call(port)
           ensure
-- 
cgit v1.2.3


From 8bb88f13ad5c761f2104a6f8f37f718e119b3ce6 Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Fri, 12 Jan 2018 19:33:42 +0900
Subject: cipher: validate iterations argument for Cipher#pkcs5_keyivgen

EVP_BytesToKey() internally converts the iteration count given as an
"int" into an "unsigned int". Calling that with a negative integer will
result in a hang. This is surprising, so let's validate the value by
ourselves and raise ArgumentError as necessary.
---
 ext/openssl/ossl_cipher.c | 2 ++
 test/test_cipher.rb       | 3 +++
 2 files changed, 5 insertions(+)

(limited to 'test')

diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c
index 740f04b2..9e71c817 100644
--- a/ext/openssl/ossl_cipher.c
+++ b/ext/openssl/ossl_cipher.c
@@ -321,6 +321,8 @@ ossl_cipher_pkcs5_keyivgen(int argc, VALUE *argv, VALUE self)
 	salt = (unsigned char *)RSTRING_PTR(vsalt);
     }
     iter = NIL_P(viter) ? 2048 : NUM2INT(viter);
+    if (iter <= 0)
+	rb_raise(rb_eArgError, "iterations must be a positive integer");
     digest = NIL_P(vdigest) ? EVP_md5() : GetDigestPtr(vdigest);
     GetCipher(self, ctx);
     EVP_BytesToKey(EVP_CIPHER_CTX_cipher(ctx), digest, salt,
diff --git a/test/test_cipher.rb b/test/test_cipher.rb
index 48149d41..732b4fdd 100644
--- a/test/test_cipher.rb
+++ b/test/test_cipher.rb
@@ -44,6 +44,9 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
     s2 = cipher.update(pt) << cipher.final
 
     assert_equal s1, s2
+
+    cipher2 = OpenSSL::Cipher.new("DES-EDE3-CBC").encrypt
+    assert_raise(ArgumentError) { cipher2.pkcs5_keyivgen(pass, salt, -1, "MD5") }
   end
 
   def test_info
-- 
cgit v1.2.3


From 71057ca5963108bac1e2c31bd0e8e205ba74cc19 Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Fri, 11 May 2018 13:43:32 +0900
Subject: test/test_pkey_rsa: fix test failure with OpenSSL 1.1.1

OpenSSL 1.1.1 raised the minimum size for RSA keys to 512 bits.
---
 test/test_pkey_rsa.rb | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'test')

diff --git a/test/test_pkey_rsa.rb b/test/test_pkey_rsa.rb
index c1205563..b4393e68 100644
--- a/test/test_pkey_rsa.rb
+++ b/test/test_pkey_rsa.rb
@@ -60,6 +60,13 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
     end
   end
 
+  def test_generate
+    key = OpenSSL::PKey::RSA.generate(512, 17)
+    assert_equal 512, key.n.num_bits
+    assert_equal 17, key.e
+    assert_not_nil key.d
+  end
+
   def test_new_break
     assert_nil(OpenSSL::PKey::RSA.new(1024) { break })
     assert_raise(RuntimeError) do
@@ -256,7 +263,7 @@ class OpenSSL::TestPKeyRSA < OpenSSL::PKeyTestCase
   end
 
   def test_dup
-    key = OpenSSL::PKey::RSA.generate(256, 17)
+    key = Fixtures.pkey("rsa1024")
     key2 = key.dup
     assert_equal key.params, key2.params
     key2.set_key(key2.n, 3, key2.d)
-- 
cgit v1.2.3


From a5e26bc1345fe325bdc619f9b1768b7ad3c94214 Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Fri, 11 May 2018 14:12:39 +0900
Subject: test/test_ssl_session: set client protocol version explicitly

Clients that implement TLS 1.3's Middlebox Compatibility Mode will
always provide a non-empty session ID in the ClientHello. This means
the "get" callback for the server-side session caching may be called
for the initial connection.
---
 test/test_ssl_session.rb | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

(limited to 'test')

diff --git a/test/test_ssl_session.rb b/test/test_ssl_session.rb
index af8c65b1..6db0c2d1 100644
--- a/test/test_ssl_session.rb
+++ b/test/test_ssl_session.rb
@@ -198,7 +198,9 @@ __EOS__
       first_session = nil
       10.times do |i|
         connections = i
-        server_connect_with_session(port, nil, first_session) { |ssl|
+        cctx = OpenSSL::SSL::SSLContext.new
+        cctx.ssl_version = :TLSv1_2
+        server_connect_with_session(port, cctx, first_session) { |ssl|
           ssl.puts("abc"); assert_equal "abc\n", ssl.gets
           first_session ||= ssl.session
 
@@ -257,6 +259,8 @@ __EOS__
 
     connections = nil
     called = {}
+    cctx = OpenSSL::SSL::SSLContext.new
+    cctx.ssl_version = :TLSv1_2
     sctx = nil
     ctx_proc = Proc.new { |ctx|
       sctx = ctx
@@ -292,7 +296,7 @@ __EOS__
     }
     start_server(ctx_proc: ctx_proc) do |port|
       connections = 0
-      sess0 = server_connect_with_session(port, nil, nil) { |ssl|
+      sess0 = server_connect_with_session(port, cctx, nil) { |ssl|
         ssl.puts("abc"); assert_equal "abc\n", ssl.gets
         assert_equal false, ssl.session_reused?
         ssl.session
@@ -307,7 +311,7 @@ __EOS__
 
       # Internal cache hit
       connections = 1
-      server_connect_with_session(port, nil, sess0.dup) { |ssl|
+      server_connect_with_session(port, cctx, sess0.dup) { |ssl|
         ssl.puts("abc"); assert_equal "abc\n", ssl.gets
         assert_equal true, ssl.session_reused?
         ssl.session
@@ -328,7 +332,7 @@ __EOS__
 
       # External cache hit
       connections = 2
-      sess2 = server_connect_with_session(port, nil, sess0.dup) { |ssl|
+      sess2 = server_connect_with_session(port, cctx, sess0.dup) { |ssl|
         ssl.puts("abc"); assert_equal "abc\n", ssl.gets
         if !ssl.session_reused? && openssl?(1, 1, 0) && !openssl?(1, 1, 0, 7)
           # OpenSSL >= 1.1.0, < 1.1.0g
@@ -355,7 +359,7 @@ __EOS__
 
       # Cache miss
       connections = 3
-      sess3 = server_connect_with_session(port, nil, sess0.dup) { |ssl|
+      sess3 = server_connect_with_session(port, cctx, sess0.dup) { |ssl|
         ssl.puts("abc"); assert_equal "abc\n", ssl.gets
         assert_equal false, ssl.session_reused?
         ssl.session
-- 
cgit v1.2.3