aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorrhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2016-06-07 12:20:46 +0000
committerrhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2016-06-07 12:20:46 +0000
commit2aa5fb13da2ae045b17c2cbbe1f6df323d6ad95a (patch)
tree6d8ff28aa42005dbc2710965308b6e9055da9bfa
parentd2442b242132a67f1a9bbf2398969723373a7368 (diff)
downloadruby-2aa5fb13da2ae045b17c2cbbe1f6df323d6ad95a.tar.gz
openssl: adjust tests for OpenSSL 1.1.0
This fixes `make test-all TESTS=openssl` with OpenSSL master. * test/openssl/test_x509name.rb: Don't register OID for 'emailAddress' and 'serialNumber'. A recent change in OpenSSL made OBJ_create() reject an already existing OID. They were needed to run tests with OpenSSL 0.9.6 which is now unsupported. https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=52832e470f5fe8c222249ae5b539aeb3c74cdb25 [ruby-core:75225] [Feature #12324] * test/openssl/test_ssl_session.rb (test_server_session): Duplicate SSL::Session before re-adding to the session store. OpenSSL 1.1.0 starts rejecting SSL_SESSION once removed by SSL_CTX_remove_session(). https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7c2d4fee2547650102cd16d23f8125b76112ae75 * test/openssl/test_pkey_ec.rb (setup): Remove X25519 from @keys. X25519 is new in OpenSSL 1.1.0 but this is for key agreement and not for signing. * test/openssl/test_pair.rb, test/openssl/test_ssl.rb, test/openssl/utils.rb: Set security level to 0 when using aNULL cipher suites. * test/openssl/utils.rb: Use 1024 bits DSA key for client certificates. * test/openssl/test_engine.rb: Run each test in separate process. We can no longer cleanup engines explicitly as ENGINE_cleanup() was removed. https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6d4fb1d59e61aacefa25edc4fe5acfe1ac93f743 * ext/openssl/ossl_engine.c (ossl_engine_s_cleanup): Add a note to the RDoc for Engine.cleanup. * ext/openssl/lib/openssl/digest.rb: Don't define constants for DSS, DSS1 and SHA(-0) when using with OpenSSL 1.1.0. They are removed. * test/openssl/test_digest.rb, test/openssl/test_pkey_dsa.rb, test/openssl/test_pkey_dsa.rb, test/openssl/test_ssl.rb, test/openssl/test_x509cert.rb, test/openssl/test_x509req.rb: Don't test unsupported hash functions. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55314 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r--ChangeLog40
-rw-r--r--ext/openssl/lib/openssl/digest.rb5
-rw-r--r--ext/openssl/ossl_engine.c2
-rw-r--r--test/openssl/test_digest.rb6
-rw-r--r--test/openssl/test_engine.rb114
-rw-r--r--test/openssl/test_pair.rb15
-rw-r--r--test/openssl/test_pkey_dsa.rb6
-rw-r--r--test/openssl/test_pkey_ec.rb4
-rw-r--r--test/openssl/test_ssl.rb14
-rw-r--r--test/openssl/test_ssl_session.rb8
-rw-r--r--test/openssl/test_x509cert.rb2
-rw-r--r--test/openssl/test_x509name.rb5
-rw-r--r--test/openssl/test_x509req.rb2
-rw-r--r--test/openssl/utils.rb18
14 files changed, 172 insertions, 69 deletions
diff --git a/ChangeLog b/ChangeLog
index 9c59a969c8..dc10d6b248 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,43 @@
+Tue Jun 7 21:20:38 2016 Kazuki Yamaguchi <k@rhe.jp>
+
+ * test/openssl/test_x509name.rb: Don't register OID for 'emailAddress'
+ and 'serialNumber'. A recent change in OpenSSL made OBJ_create()
+ reject an already existing OID. They were needed to run tests with
+ OpenSSL 0.9.6 which is now unsupported.
+ https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=52832e470f5fe8c222249ae5b539aeb3c74cdb25
+ [ruby-core:75225] [Feature #12324]
+
+ * test/openssl/test_ssl_session.rb (test_server_session): Duplicate
+ SSL::Session before re-adding to the session store. OpenSSL 1.1.0
+ starts rejecting SSL_SESSION once removed by SSL_CTX_remove_session().
+ https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7c2d4fee2547650102cd16d23f8125b76112ae75
+
+ * test/openssl/test_pkey_ec.rb (setup): Remove X25519 from @keys. X25519
+ is new in OpenSSL 1.1.0 but this is for key agreement and not for
+ signing.
+
+ * test/openssl/test_pair.rb, test/openssl/test_ssl.rb,
+ test/openssl/utils.rb: Set security level to 0 when using aNULL cipher
+ suites.
+
+ * test/openssl/utils.rb: Use 1024 bits DSA key for client certificates.
+
+ * test/openssl/test_engine.rb: Run each test in separate process.
+ We can no longer cleanup engines explicitly as ENGINE_cleanup() was
+ removed.
+ https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6d4fb1d59e61aacefa25edc4fe5acfe1ac93f743
+
+ * ext/openssl/ossl_engine.c (ossl_engine_s_cleanup): Add a note to the
+ RDoc for Engine.cleanup.
+
+ * ext/openssl/lib/openssl/digest.rb: Don't define constants for DSS,
+ DSS1 and SHA(-0) when using with OpenSSL 1.1.0. They are removed.
+
+ * test/openssl/test_digest.rb, test/openssl/test_pkey_dsa.rb,
+ test/openssl/test_pkey_dsa.rb, test/openssl/test_ssl.rb,
+ test/openssl/test_x509cert.rb, test/openssl/test_x509req.rb: Don't
+ test unsupported hash functions.
+
Tue Jun 7 17:49:52 2016 Martin Duerst <duerst@it.aoyama.ac.jp>
* test/ruby/enc/test_case_comprehensive: Change test for encodings
diff --git a/ext/openssl/lib/openssl/digest.rb b/ext/openssl/lib/openssl/digest.rb
index 1240bf596b..1a236cc77d 100644
--- a/ext/openssl/lib/openssl/digest.rb
+++ b/ext/openssl/lib/openssl/digest.rb
@@ -15,7 +15,10 @@
module OpenSSL
class Digest
- alg = %w(DSS DSS1 MD2 MD4 MD5 MDC2 RIPEMD160 SHA SHA1)
+ alg = %w(MD2 MD4 MD5 MDC2 RIPEMD160 SHA1)
+ if OPENSSL_VERSION_NUMBER < 0x10100000
+ alg += %w(DSS DSS1 SHA)
+ end
if OPENSSL_VERSION_NUMBER > 0x00908000
alg += %w(SHA224 SHA256 SHA384 SHA512)
end
diff --git a/ext/openssl/ossl_engine.c b/ext/openssl/ossl_engine.c
index f84b1cfff1..3abc44b34e 100644
--- a/ext/openssl/ossl_engine.c
+++ b/ext/openssl/ossl_engine.c
@@ -160,6 +160,8 @@ ossl_engine_s_load(int argc, VALUE *argv, VALUE klass)
* It is only necessary to run cleanup when engines are loaded via
* OpenSSL::Engine.load. However, running cleanup before exit is recommended.
*
+ * Note that this is needed and works only in OpenSSL < 1.1.0.
+ *
* See also, https://www.openssl.org/docs/crypto/engine.html
*/
static VALUE
diff --git a/test/openssl/test_digest.rb b/test/openssl/test_digest.rb
index ba3e974bc6..51fc03bb87 100644
--- a/test/openssl/test_digest.rb
+++ b/test/openssl/test_digest.rb
@@ -59,9 +59,9 @@ class OpenSSL::TestDigest < OpenSSL::TestCase
end
def test_digest_constants
- algs = %w(DSS1 MD4 MD5 RIPEMD160 SHA1)
- if !libressl? || !version_since([2,3])
- algs += %w(SHA)
+ algs = %w(MD4 MD5 RIPEMD160 SHA1)
+ if OpenSSL::OPENSSL_VERSION_NUMBER < 0x10100000
+ algs += %w(DSS1 SHA)
end
if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00908000
algs += %w(SHA224 SHA256 SHA384 SHA512)
diff --git a/test/openssl/test_engine.rb b/test/openssl/test_engine.rb
index 9a0da34070..77f6e1a967 100644
--- a/test/openssl/test_engine.rb
+++ b/test/openssl/test_engine.rb
@@ -3,75 +3,93 @@ require_relative 'utils'
class OpenSSL::TestEngine < OpenSSL::TestCase
- def teardown
- super
- OpenSSL::Engine.cleanup # [ruby-core:40669]
- assert_equal(0, OpenSSL::Engine.engines.size)
- end
-
def test_engines_free # [ruby-dev:44173]
- OpenSSL::Engine.load("openssl")
- OpenSSL::Engine.engines
- OpenSSL::Engine.engines
+ with_openssl <<-'end;'
+ OpenSSL::Engine.load("openssl")
+ OpenSSL::Engine.engines
+ OpenSSL::Engine.engines
+ end;
end
def test_openssl_engine_builtin
- engine = OpenSSL::Engine.load("openssl")
- assert_equal(true, engine)
- assert_equal(1, OpenSSL::Engine.engines.size)
+ with_openssl <<-'end;'
+ engine = OpenSSL::Engine.load("openssl")
+ assert_equal(true, engine)
+ assert_equal(1, OpenSSL::Engine.engines.size)
+ end;
end
def test_openssl_engine_by_id_string
- engine = get_engine
- assert_not_nil(engine)
- assert_equal(1, OpenSSL::Engine.engines.size)
+ with_openssl <<-'end;'
+ engine = get_engine
+ assert_not_nil(engine)
+ assert_equal(1, OpenSSL::Engine.engines.size)
+ end;
end
def test_openssl_engine_id_name_inspect
- engine = get_engine
- assert_equal("openssl", engine.id)
- assert_not_nil(engine.name)
- assert_not_nil(engine.inspect)
+ with_openssl <<-'end;'
+ engine = get_engine
+ assert_equal("openssl", engine.id)
+ assert_not_nil(engine.name)
+ assert_not_nil(engine.inspect)
+ end;
end
def test_openssl_engine_digest_sha1
- engine = get_engine
- digest = engine.digest("SHA1")
- assert_not_nil(digest)
- data = "test"
- assert_equal(OpenSSL::Digest::SHA1.digest(data), digest.digest(data))
+ with_openssl <<-'end;'
+ engine = get_engine
+ digest = engine.digest("SHA1")
+ assert_not_nil(digest)
+ data = "test"
+ assert_equal(OpenSSL::Digest::SHA1.digest(data), digest.digest(data))
+ end;
end
def test_openssl_engine_cipher_rc4
- engine = get_engine
- algo = "RC4" #AES is not supported by openssl Engine (<=1.0.0e)
- data = "a" * 1000
- key = OpenSSL::Random.random_bytes(16)
- # suppress message from openssl Engine's RC4 cipher [ruby-core:41026]
- err_back = $stderr.dup
- $stderr.reopen(IO::NULL)
- encrypted = crypt_data(data, key, :encrypt) { engine.cipher(algo) }
- decrypted = crypt_data(encrypted, key, :decrypt) { OpenSSL::Cipher.new(algo) }
- assert_equal(data, decrypted)
- ensure
- if err_back
- $stderr.reopen(err_back)
- err_back.close
- end
+ with_openssl <<-'end;'
+ begin
+ engine = get_engine
+ algo = "RC4" #AES is not supported by openssl Engine (<=1.0.0e)
+ data = "a" * 1000
+ key = OpenSSL::Random.random_bytes(16)
+ # suppress message from openssl Engine's RC4 cipher [ruby-core:41026]
+ err_back = $stderr.dup
+ $stderr.reopen(IO::NULL)
+ encrypted = crypt_data(data, key, :encrypt) { engine.cipher(algo) }
+ decrypted = crypt_data(encrypted, key, :decrypt) { OpenSSL::Cipher.new(algo) }
+ assert_equal(data, decrypted)
+ ensure
+ if err_back
+ $stderr.reopen(err_back)
+ err_back.close
+ end
+ end
+ end;
end
private
- def get_engine
- OpenSSL::Engine.by_id("openssl")
+ # this is required because OpenSSL::Engine methods change global state
+ def with_openssl(code)
+ assert_separately(["-ropenssl"], <<~"end;")
+ require #{__FILE__.dump}
+ include OpenSSL::TestEngine::Utils
+ #{code}
+ end;
end
- def crypt_data(data, key, mode)
- cipher = yield
- cipher.send mode
- cipher.key = key
- cipher.update(data) + cipher.final
- end
+ module Utils
+ def get_engine
+ OpenSSL::Engine.by_id("openssl")
+ end
-end if defined?(OpenSSL::TestUtils)
+ def crypt_data(data, key, mode)
+ cipher = yield
+ cipher.send mode
+ cipher.key = key
+ cipher.update(data) + cipher.final
+ end
+ end
+end if defined?(OpenSSL::TestUtils) && defined?(OpenSSL::Engine)
diff --git a/test/openssl/test_pair.rb b/test/openssl/test_pair.rb
index 86aa2798d7..5cb6627c87 100644
--- a/test/openssl/test_pair.rb
+++ b/test/openssl/test_pair.rb
@@ -12,6 +12,7 @@ module OpenSSL::SSLPairM
port = 0
ctx = OpenSSL::SSL::SSLContext.new()
ctx.ciphers = "ADH"
+ ctx.security_level = 0
ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
tcps = create_tcp_server(host, port)
ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
@@ -22,6 +23,7 @@ module OpenSSL::SSLPairM
host = "127.0.0.1"
ctx = OpenSSL::SSL::SSLContext.new()
ctx.ciphers = "ADH"
+ ctx.security_level = 0
s = create_tcp_client(host, port)
ssl = OpenSSL::SSL::SSLSocket.new(s, ctx)
ssl.connect
@@ -324,6 +326,7 @@ module OpenSSL::TestPairM
def test_connect_works_when_setting_dh_callback_to_nil
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.ciphers = "DH"
+ ctx2.security_level = 0
ctx2.tmp_dh_callback = nil
sock1, sock2 = tcp_pair
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
@@ -331,6 +334,7 @@ module OpenSSL::TestPairM
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "DH"
+ ctx1.security_level = 0
ctx1.tmp_dh_callback = nil
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
t = Thread.new { s1.connect }
@@ -350,12 +354,14 @@ module OpenSSL::TestPairM
def test_connect_without_setting_dh_callback
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.ciphers = "DH"
+ ctx2.security_level = 0
sock1, sock2 = tcp_pair
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
accepted = s2.accept_nonblock(exception: false)
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "DH"
+ ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
t = Thread.new { s1.connect }
@@ -378,6 +384,8 @@ module OpenSSL::TestPairM
called = false
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.ciphers = "ECDH"
+ # OpenSSL 1.1.0 doesn't have tmp_ecdh_callback so this shouldn't be required
+ ctx2.security_level = 0
ctx2.tmp_ecdh_callback = ->(*args) {
called = true
OpenSSL::PKey::EC.new "prime256v1"
@@ -388,6 +396,7 @@ module OpenSSL::TestPairM
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "ECDH"
+ ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
th = Thread.new do
@@ -426,11 +435,13 @@ module OpenSSL::TestPairM
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "ECDH"
ctx1.ecdh_curves = "P-384:P-521"
+ ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.ciphers = "ECDH"
ctx2.ecdh_curves = "P-256:P-384"
+ ctx2.security_level = 0
s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
th = Thread.new { s1.accept }
@@ -451,6 +462,7 @@ module OpenSSL::TestPairM
def test_connect_accept_nonblock_no_exception
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.ciphers = "ADH"
+ ctx2.security_level = 0
ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
sock1, sock2 = tcp_pair
@@ -461,6 +473,7 @@ module OpenSSL::TestPairM
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "ADH"
+ ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
th = Thread.new do
rets = []
@@ -499,6 +512,7 @@ module OpenSSL::TestPairM
def test_connect_accept_nonblock
ctx = OpenSSL::SSL::SSLContext.new()
ctx.ciphers = "ADH"
+ ctx.security_level = 0
ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
sock1, sock2 = tcp_pair
@@ -522,6 +536,7 @@ module OpenSSL::TestPairM
sleep 0.1
ctx = OpenSSL::SSL::SSLContext.new()
ctx.ciphers = "ADH"
+ ctx.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx)
begin
sleep 0.2
diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb
index 680a123997..211c034236 100644
--- a/test/openssl/test_pkey_dsa.rb
+++ b/test/openssl/test_pkey_dsa.rb
@@ -39,7 +39,7 @@ class OpenSSL::TestPKeyDSA < OpenSSL::TestCase
def test_sign_verify
check_sign_verify(OpenSSL::Digest::DSS1.new)
- end
+ end if defined?(OpenSSL::Digest::DSS1)
if (OpenSSL::OPENSSL_VERSION_NUMBER > 0x10000000)
def test_sign_verify_sha1
@@ -53,8 +53,8 @@ end
def test_digest_state_irrelevant_verify
key = OpenSSL::TestUtils::TEST_KEY_DSA256
- digest1 = OpenSSL::Digest::DSS1.new
- digest2 = OpenSSL::Digest::DSS1.new
+ digest1 = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new
+ digest2 = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new
data = 'Sign me!'
sig = key.sign(digest1, data)
digest1.reset
diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
index 4161e9b0e0..e05b70ac2f 100644
--- a/test/openssl/test_pkey_ec.rb
+++ b/test/openssl/test_pkey_ec.rb
@@ -12,12 +12,14 @@ class OpenSSL::TestEC < OpenSSL::TestCase
@keys = []
OpenSSL::PKey::EC.builtin_curves.each do |curve, comment|
- next if curve.start_with?("Oakley") # Oakley curves are not suitable for ECDSA
group = OpenSSL::PKey::EC::Group.new(curve)
key = OpenSSL::PKey::EC.new(group)
key.generate_key!
+ # Oakley curves and X25519 are not suitable for signing
+ next if ["Oakley", "X25519"].any? { |n| curve.start_with?(n) }
+
@groups << group
@keys << key
end
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index 65cc30e71e..b1dc2233d6 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -405,7 +405,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ciphers = ctx.ciphers
ciphers_versions = ciphers.collect{|_, v, _, _| v }
ciphers_names = ciphers.collect{|v, _, _, _| v }
- assert(ciphers_names.all?{|v| /ADH/ !~ v })
+ assert(ciphers_names.all?{|v| /A(EC)?DH/ !~ v })
assert(ciphers_versions.all?{|v| /SSLv2/ !~ v })
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
ssl.sync_close = true
@@ -424,6 +424,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
start_server(OpenSSL::SSL::VERIFY_NONE, true, {use_anon_cipher: true}){|server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.ciphers = "aNULL"
+ ctx.security_level = 0
server_connect(port, ctx) { |ssl|
msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \
"ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification."
@@ -687,6 +688,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ctx3 = OpenSSL::SSL::SSLContext.new
ctx3.ciphers = "DH"
+ ctx3.security_level = 0
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.ciphers = "DH"
@@ -698,6 +700,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "DH"
+ ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
s1.hostname = hostname
@@ -720,6 +723,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.ciphers = "DH"
+ ctx2.security_level = 0
ctx2.servername_cb = lambda { |args| Object.new }
sock1, sock2 = socketpair
@@ -728,6 +732,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "DH"
+ ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
s1.hostname = hostname
@@ -752,6 +757,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ctx3 = OpenSSL::SSL::SSLContext.new
ctx3.ciphers = "DH"
+ ctx3.security_level = 0
assert_not_predicate ctx3, :frozen?
ctx2 = OpenSSL::SSL::SSLContext.new
@@ -764,6 +770,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "DH"
+ ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
s1.hostname = hostname
@@ -785,6 +792,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.ciphers = "DH"
+ ctx2.security_level = 0
ctx2.servername_cb = lambda { |args| nil }
sock1, sock2 = socketpair
@@ -793,6 +801,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "DH"
+ ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
s1.hostname = hostname
@@ -815,6 +824,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ctx2 = OpenSSL::SSL::SSLContext.new
ctx2.ciphers = "DH"
+ ctx2.security_level = 0
ctx2.servername_cb = lambda do |args|
cb_socket = args[0]
lambda_called = args[1]
@@ -827,6 +837,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.ciphers = "DH"
+ ctx1.security_level = 0
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
s1.hostname = hostname
@@ -1171,6 +1182,7 @@ end
# test it doesn't cause a segmentation fault
ctx = OpenSSL::SSL::SSLContext.new
ctx.ciphers = "aNULL"
+ ctx.security_level = 0
sock1, sock2 = socketpair
ssl1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx)
diff --git a/test/openssl/test_ssl_session.rb b/test/openssl/test_ssl_session.rb
index cdcab02f95..84686f6b4f 100644
--- a/test/openssl/test_ssl_session.rb
+++ b/test/openssl/test_ssl_session.rb
@@ -211,25 +211,25 @@ __EOS__
assert_equal(stats[:cache_misses], 0)
assert(ssl.session_reused?)
ctx.session_remove(session)
- saved_session = session
+ saved_session = session.to_der
when 2
assert_equal(stats[:cache_num], 1)
assert_equal(stats[:cache_hits], 1)
assert_equal(stats[:cache_misses], 1)
assert(!ssl.session_reused?)
- ctx.session_add(saved_session)
+ ctx.session_add(OpenSSL::SSL::Session.new(saved_session))
when 3
assert_equal(stats[:cache_num], 2)
assert_equal(stats[:cache_hits], 2)
assert_equal(stats[:cache_misses], 1)
assert(ssl.session_reused?)
- ctx.flush_sessions(Time.now + 5000)
+ ctx.flush_sessions(Time.now + 10000)
when 4
assert_equal(stats[:cache_num], 1)
assert_equal(stats[:cache_hits], 2)
assert_equal(stats[:cache_misses], 2)
assert(!ssl.session_reused?)
- ctx.session_add(saved_session)
+ ctx.session_add(OpenSSL::SSL::Session.new(saved_session))
end
connections += 1
diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb
index ae7a0f0855..269d017298 100644
--- a/test/openssl/test_x509cert.rb
+++ b/test/openssl/test_x509cert.rb
@@ -168,7 +168,7 @@ class OpenSSL::TestX509Certificate < OpenSSL::TestCase
cert.subject = @ee1
assert_equal(false, cert.verify(@rsa2048))
rescue OpenSSL::X509::CertificateError
- end
+ end if defined?(OpenSSL::Digest::DSS1)
def test_sign_and_verify_dsa_md5
assert_raise(OpenSSL::X509::CertificateError){
diff --git a/test/openssl/test_x509name.rb b/test/openssl/test_x509name.rb
index d26174efdf..b87d415de2 100644
--- a/test/openssl/test_x509name.rb
+++ b/test/openssl/test_x509name.rb
@@ -5,11 +5,6 @@ require_relative 'utils'
if defined?(OpenSSL::TestUtils)
class OpenSSL::TestX509Name < OpenSSL::TestCase
- OpenSSL::ASN1::ObjectId.register(
- "1.2.840.113549.1.9.1", "emailAddress", "emailAddress")
- OpenSSL::ASN1::ObjectId.register(
- "2.5.4.5", "serialNumber", "serialNumber")
-
def setup
@obj_type_tmpl = Hash.new(OpenSSL::ASN1::PRINTABLESTRING)
@obj_type_tmpl.update(OpenSSL::X509::Name::OBJECT_TYPE_TEMPLATE)
diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb
index 7ceff5839b..53e5a437fc 100644
--- a/test/openssl/test_x509req.rb
+++ b/test/openssl/test_x509req.rb
@@ -140,7 +140,7 @@ class OpenSSL::TestX509Request < OpenSSL::TestCase
assert_equal(false, req.verify(@rsa1024))
rescue OpenSSL::X509::RequestError
skip
- end
+ end if defined?(OpenSSL::Digest::DSS1)
def test_sign_and_verify_dsa_md5
assert_raise(OpenSSL::X509::RequestError){
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
index 82a018aabb..e4861fa688 100644
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@@ -85,6 +85,21 @@ Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxXoXi9OAIUBG98h4tilg6S
-----END DSA PRIVATE KEY-----
_end_of_pem_
+ TEST_KEY_DSA1024 = OpenSSL::PKey::DSA.new <<-_end_of_pem_
+-----BEGIN DSA PRIVATE KEY-----
+MIIBugIBAAKBgQCH9aAoXvWWThIjkA6D+nI1F9ksF9iDq594rkiGNOT9sPDOdB+n
+D+qeeeeloRlj19ymCSADPI0ZLRgkchkAEnY2RnqnhHOjVf/roGgRbW+iQDMbQ9wa
+/pvc6/fAbsu1goE1hBYjm98/sZEeXavj8tR56IXnjF1b6Nx0+sgeUKFKEQIVAMiz
+4BJUFeTtddyM4uadBM7HKLPRAoGAZdLBSYNGiij7vAjesF5mGUKTIgPd+JKuBEDx
+OaBclsgfdoyoF/TMOkIty+PVlYD+//Vl2xnoUEIRaMXHwHfm0r2xUX++oeRaSScg
+YizJdUxe5jvBuBszGPRc/mGpb9YvP0sB+FL1KmuxYmdODfCe51zl8uM/CVhouJ3w
+DjmRGscCgYAuFlfC7p+e8huCKydfcv/beftqjewiOPpQ3u5uI6KPCtCJPpDhs3+4
+IihH2cPsAlqwGF4tlibW1+/z/OZ1AZinPK3y7b2jSJASEaPeEltVzB92hcd1khk2
+jTYcmSsV4VddplOPK9czytR/GbbibxsrhhgZUbd8LPbvIgaiadJ1PgIUBnJ/5vN2
+CVArsEzlPUCbohPvZnE=
+-----END DSA PRIVATE KEY-----
+ _end_of_pem_
+
if defined?(OpenSSL::PKey::EC)
TEST_KEY_EC_P256V1 = OpenSSL::PKey::EC.new <<-_end_of_pem_
@@ -196,7 +211,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
def setup
@ca_key = OpenSSL::TestUtils::TEST_KEY_RSA2048
@svr_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
- @cli_key = OpenSSL::TestUtils::TEST_KEY_DSA256
+ @cli_key = OpenSSL::TestUtils::TEST_KEY_DSA1024
@ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
@svr = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
@cli = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
@@ -277,6 +292,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
ctx = OpenSSL::SSL::SSLContext.new
ctx.ciphers = "ADH-AES256-GCM-SHA384" if use_anon_cipher
+ ctx.security_level = 0 if use_anon_cipher
ctx.cert_store = store
#ctx.extra_chain_cert = [ ca_cert ]
ctx.cert = @svr_cert