1 files changed, 59 insertions, 28 deletions

diff --git a/test/openssl/test_pair.rb b/test/openssl/test_pair.rb
index 38b33a4622..d9341ad123 100644
--- a/test/openssl/test_pair.rb
+++ b/test/openssl/test_pair.rb
@@ -372,41 +372,73 @@ module OpenSSL::TestPairM
   end
 
   def test_ecdh_callback
-    called = false
-    ctx2 = OpenSSL::SSL::SSLContext.new
-    ctx2.ciphers = "ECDH"
-    ctx2.tmp_ecdh_callback = ->(*args) {
-      called = true
-      OpenSSL::PKey::EC.new "prime256v1"
-    }
+    return unless OpenSSL::SSL::SSLContext.instance_methods.include?(:tmp_ecdh_callback)
+    EnvUtil.suppress_warning do # tmp_ecdh_callback is deprecated (2016-05)
+      begin
+        called = false
+        ctx2 = OpenSSL::SSL::SSLContext.new
+        ctx2.ciphers = "ECDH"
+        ctx2.tmp_ecdh_callback = ->(*args) {
+          called = true
+          OpenSSL::PKey::EC.new "prime256v1"
+        }
+
+        sock1, sock2 = tcp_pair
+
+        s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
+        ctx1 = OpenSSL::SSL::SSLContext.new
+        ctx1.ciphers = "ECDH"
+
+        s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
+        th = Thread.new do
+          begin
+            rv = s1.connect_nonblock(exception: false)
+            case rv
+            when :wait_writable
+              IO.select(nil, [s1], nil, 5)
+            when :wait_readable
+              IO.select([s1], nil, nil, 5)
+            end
+          end until rv == s1
+        end
+
+        accepted = s2.accept
+        assert called, 'ecdh callback should be called'
+      rescue OpenSSL::SSL::SSLError => e
+        if e.message =~ /no cipher match/
+          skip "ECDH cipher not supported."
+        else
+          raise e
+        end
+      ensure
+        th.join if th
+        s1.close if s1
+        s2.close if s2
+        sock1.close if sock1
+        sock2.close if sock2
+      end
+    end
+  end
 
+  def test_ecdh_curves
     sock1, sock2 = tcp_pair
 
-    s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
     ctx1 = OpenSSL::SSL::SSLContext.new
     ctx1.ciphers = "ECDH"
-
+    ctx1.ecdh_curves = "P-384:P-224"
     s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
-    th = Thread.new do
-      begin
-        rv = s1.connect_nonblock(exception: false)
-        case rv
-        when :wait_writable
-          IO.select(nil, [s1], nil, 5)
-        when :wait_readable
-          IO.select([s1], nil, nil, 5)
-        end
-      end until rv == s1
-    end
 
-    accepted = s2.accept
+    ctx2 = OpenSSL::SSL::SSLContext.new
+    ctx2.ciphers = "ECDH"
+    ctx2.ecdh_curves = "P-256:P-384"
+    s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
 
-    assert called, 'ecdh callback should be called'
-  rescue OpenSSL::SSL::SSLError => e
-    if e.message =~ /no cipher match/
-      skip "ECDH cipher not supported."
-    else
-      raise e
+    th = Thread.new { s1.accept }
+    s2.connect
+
+    assert s2.cipher[0].start_with?("AECDH"), "AECDH should be used"
+    if s2.respond_to?(:tmp_key)
+      assert_equal "secp384r1", s2.tmp_key.group.curve_name
     end
   ensure
     th.join if th
@@ -414,7 +446,6 @@ module OpenSSL::TestPairM
     s2.close if s2
     sock1.close if sock1
     sock2.close if sock2
-    accepted.close if accepted.respond_to?(:close)
   end
 
   def test_connect_accept_nonblock_no_exception