From 665e102691a655da45d70963761eb486f277c43a Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Thu, 5 May 2016 14:40:13 +0900
Subject: ext/openssl: add SSLContext#security_level, #security_level=

OpenSSL 1.1.0 introduced "security level" and these methods deal with
it.

This patch includes many test changes: setting the level to 0.
The default security level is 1 and this prohibits aNULL ciphers.
---
 test/openssl/test_pair.rb | 10 ++++++++++
 test/openssl/test_ssl.rb  | 11 +++++++++++
 test/openssl/utils.rb     |  1 +
 3 files changed, 22 insertions(+)

(limited to 'test')

diff --git a/test/openssl/test_pair.rb b/test/openssl/test_pair.rb
index 06c34442b7..7f1a25d971 100644
--- a/test/openssl/test_pair.rb
+++ b/test/openssl/test_pair.rb
@@ -12,6 +12,7 @@ module OpenSSL::SSLPairM
     port = 0
     ctx = OpenSSL::SSL::SSLContext.new()
     ctx.ciphers = "ADH"
+    ctx.security_level = 0
     ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
     tcps = create_tcp_server(host, port)
     ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
@@ -22,6 +23,7 @@ module OpenSSL::SSLPairM
     host = "127.0.0.1"
     ctx = OpenSSL::SSL::SSLContext.new()
     ctx.ciphers = "ADH"
+    ctx.security_level = 0
     s = create_tcp_client(host, port)
     ssl = OpenSSL::SSL::SSLSocket.new(s, ctx)
     ssl.connect
@@ -324,6 +326,7 @@ module OpenSSL::TestPairM
   def test_connect_works_when_setting_dh_callback_to_nil
     ctx2 = OpenSSL::SSL::SSLContext.new
     ctx2.ciphers = "DH"
+    ctx2.security_level = 0
     ctx2.tmp_dh_callback = nil
     sock1, sock2 = tcp_pair
     s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
@@ -331,6 +334,7 @@ module OpenSSL::TestPairM
 
     ctx1 = OpenSSL::SSL::SSLContext.new
     ctx1.ciphers = "DH"
+    ctx1.security_level = 0
     ctx1.tmp_dh_callback = nil
     s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
     t = Thread.new { s1.connect }
@@ -350,12 +354,14 @@ module OpenSSL::TestPairM
   def test_connect_without_setting_dh_callback
     ctx2 = OpenSSL::SSL::SSLContext.new
     ctx2.ciphers = "DH"
+    ctx2.security_level = 0
     sock1, sock2 = tcp_pair
     s2 = OpenSSL::SSL::SSLSocket.new(sock2, ctx2)
     accepted = s2.accept_nonblock(exception: false)
 
     ctx1 = OpenSSL::SSL::SSLContext.new
     ctx1.ciphers = "DH"
+    ctx1.security_level = 0
     s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
     t = Thread.new { s1.connect }
 
@@ -420,6 +426,7 @@ module OpenSSL::TestPairM
   def test_connect_accept_nonblock_no_exception
     ctx2 = OpenSSL::SSL::SSLContext.new
     ctx2.ciphers = "ADH"
+    ctx2.security_level = 0
     ctx2.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
 
     sock1, sock2 = tcp_pair
@@ -430,6 +437,7 @@ module OpenSSL::TestPairM
 
     ctx1 = OpenSSL::SSL::SSLContext.new
     ctx1.ciphers = "ADH"
+    ctx1.security_level = 0
     s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
     th = Thread.new do
       rets = []
@@ -468,6 +476,7 @@ module OpenSSL::TestPairM
   def test_connect_accept_nonblock
     ctx = OpenSSL::SSL::SSLContext.new()
     ctx.ciphers = "ADH"
+    ctx.security_level = 0
     ctx.tmp_dh_callback = proc { OpenSSL::TestUtils::TEST_KEY_DH1024 }
 
     sock1, sock2 = tcp_pair
@@ -491,6 +500,7 @@ module OpenSSL::TestPairM
     sleep 0.1
     ctx = OpenSSL::SSL::SSLContext.new()
     ctx.ciphers = "ADH"
+    ctx.security_level = 0
     s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx)
     begin
       sleep 0.2
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index 6e9078dace..5314853849 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -424,6 +424,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
     start_server(OpenSSL::SSL::VERIFY_NONE, true, {use_anon_cipher: true}){|server, port|
       ctx = OpenSSL::SSL::SSLContext.new
       ctx.ciphers = "aNULL"
+      ctx.security_level = 0
       server_connect(port, ctx) { |ssl|
         msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \
           "ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification."
@@ -687,6 +688,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
 
     ctx3 = OpenSSL::SSL::SSLContext.new
     ctx3.ciphers = "DH"
+    ctx3.security_level = 0
 
     ctx2 = OpenSSL::SSL::SSLContext.new
     ctx2.ciphers = "DH"
@@ -698,6 +700,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
 
     ctx1 = OpenSSL::SSL::SSLContext.new
     ctx1.ciphers = "DH"
+    ctx1.security_level = 0
 
     s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
     s1.hostname = hostname
@@ -720,6 +723,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
 
     ctx2 = OpenSSL::SSL::SSLContext.new
     ctx2.ciphers = "DH"
+    ctx2.security_level = 0
     ctx2.servername_cb = lambda { |args| Object.new }
 
     sock1, sock2 = socketpair
@@ -728,6 +732,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
 
     ctx1 = OpenSSL::SSL::SSLContext.new
     ctx1.ciphers = "DH"
+    ctx1.security_level = 0
 
     s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
     s1.hostname = hostname
@@ -752,6 +757,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
 
     ctx3 = OpenSSL::SSL::SSLContext.new
     ctx3.ciphers = "DH"
+    ctx3.security_level = 0
     assert_not_predicate ctx3, :frozen?
 
     ctx2 = OpenSSL::SSL::SSLContext.new
@@ -764,6 +770,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
 
     ctx1 = OpenSSL::SSL::SSLContext.new
     ctx1.ciphers = "DH"
+    ctx1.security_level = 0
 
     s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
     s1.hostname = hostname
@@ -785,6 +792,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
 
     ctx2 = OpenSSL::SSL::SSLContext.new
     ctx2.ciphers = "DH"
+    ctx2.security_level = 0
     ctx2.servername_cb = lambda { |args| nil }
 
     sock1, sock2 = socketpair
@@ -793,6 +801,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
 
     ctx1 = OpenSSL::SSL::SSLContext.new
     ctx1.ciphers = "DH"
+    ctx1.security_level = 0
 
     s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
     s1.hostname = hostname
@@ -815,6 +824,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
 
     ctx2 = OpenSSL::SSL::SSLContext.new
     ctx2.ciphers = "DH"
+    ctx2.security_level = 0
     ctx2.servername_cb = lambda do |args|
       cb_socket     = args[0]
       lambda_called = args[1]
@@ -827,6 +837,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
 
     ctx1 = OpenSSL::SSL::SSLContext.new
     ctx1.ciphers = "DH"
+    ctx1.security_level = 0
 
     s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
     s1.hostname = hostname
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
index 02bafb6f21..a4340e785f 100644
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@@ -273,6 +273,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
         store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
         ctx = OpenSSL::SSL::SSLContext.new
         ctx.ciphers = "ADH-AES256-GCM-SHA384" if use_anon_cipher
+        ctx.security_level = 0 if use_anon_cipher
         ctx.cert_store = store
         #ctx.extra_chain_cert = [ ca_cert ]
         ctx.cert = @svr_cert
-- 
cgit v1.2.3