2015-12-16 00:07:31 -05:00
|
|
|
# frozen_string_literal: false
|
2010-12-10 20:25:25 -05:00
|
|
|
begin
|
|
|
|
require "openssl"
|
2012-12-19 19:29:07 -05:00
|
|
|
|
2012-12-20 02:00:11 -05:00
|
|
|
# Disable FIPS mode for tests for installations
|
|
|
|
# where FIPS mode would be enabled by default.
|
|
|
|
# Has no effect on all other installations.
|
2012-12-19 19:29:07 -05:00
|
|
|
OpenSSL.fips_mode=false
|
2010-12-10 20:25:25 -05:00
|
|
|
rescue LoadError
|
|
|
|
end
|
2016-08-29 01:47:09 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
# Compile OpenSSL with crypto-mdebug and run this test suite with OSSL_MDEBUG=1
|
|
|
|
# environment variable to enable memory leak check.
|
|
|
|
if ENV["OSSL_MDEBUG"] == "1"
|
|
|
|
if OpenSSL.respond_to?(:print_mem_leaks)
|
|
|
|
OpenSSL.mem_check_start
|
|
|
|
|
|
|
|
END {
|
|
|
|
GC.start
|
|
|
|
case OpenSSL.print_mem_leaks
|
|
|
|
when nil
|
|
|
|
warn "mdebug: check what is printed"
|
|
|
|
when true
|
|
|
|
raise "mdebug: memory leaks detected"
|
|
|
|
end
|
|
|
|
}
|
|
|
|
else
|
|
|
|
warn "OSSL_MDEBUG=1 is specified but OpenSSL is not built with crypto-mdebug"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2004-05-17 16:23:28 -04:00
|
|
|
require "test/unit"
|
2017-09-03 08:35:27 -04:00
|
|
|
require "tempfile"
|
2010-12-15 14:50:00 -05:00
|
|
|
require "socket"
|
2016-08-29 01:47:09 -04:00
|
|
|
require "envutil"
|
2004-05-17 16:23:28 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
if defined?(OpenSSL)
|
2004-05-17 16:23:28 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
module OpenSSL::TestUtils
|
|
|
|
module Fixtures
|
|
|
|
module_function
|
2011-06-13 07:56:04 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
def pkey(name)
|
|
|
|
OpenSSL::PKey.read(read_file("pkey", name))
|
|
|
|
end
|
2012-08-28 16:03:32 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
def pkey_dh(name)
|
|
|
|
# DH parameters can be read by OpenSSL::PKey.read atm
|
|
|
|
OpenSSL::PKey::DH.new(read_file("pkey", name))
|
|
|
|
end
|
2012-08-28 16:03:32 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
def read_file(category, name)
|
|
|
|
@file_cache ||= {}
|
|
|
|
@file_cache[[category, name]] ||=
|
|
|
|
File.read(File.join(__dir__, "fixtures", category, name + ".pem"))
|
|
|
|
end
|
|
|
|
end
|
2012-09-02 21:14:26 -04:00
|
|
|
|
2004-05-17 16:23:28 -04:00
|
|
|
module_function
|
|
|
|
|
2016-11-30 09:41:46 -05:00
|
|
|
def issue_cert(dn, key, serial, extensions, issuer, issuer_key,
|
2017-09-03 08:35:27 -04:00
|
|
|
not_before: nil, not_after: nil, digest: "sha256")
|
2004-05-17 16:23:28 -04:00
|
|
|
cert = OpenSSL::X509::Certificate.new
|
|
|
|
issuer = cert unless issuer
|
|
|
|
issuer_key = key unless issuer_key
|
|
|
|
cert.version = 2
|
|
|
|
cert.serial = serial
|
|
|
|
cert.subject = dn
|
|
|
|
cert.issuer = issuer.subject
|
2017-11-25 09:12:08 -05:00
|
|
|
cert.public_key = key
|
2016-11-30 09:41:46 -05:00
|
|
|
now = Time.now
|
|
|
|
cert.not_before = not_before || now - 3600
|
|
|
|
cert.not_after = not_after || now + 3600
|
2004-05-17 16:23:28 -04:00
|
|
|
ef = OpenSSL::X509::ExtensionFactory.new
|
|
|
|
ef.subject_certificate = cert
|
|
|
|
ef.issuer_certificate = issuer
|
|
|
|
extensions.each{|oid, value, critical|
|
|
|
|
cert.add_extension(ef.create_extension(oid, value, critical))
|
|
|
|
}
|
|
|
|
cert.sign(issuer_key, digest)
|
|
|
|
cert
|
|
|
|
end
|
|
|
|
|
2009-03-05 22:56:38 -05:00
|
|
|
def issue_crl(revoke_info, serial, lastup, nextup, extensions,
|
2004-05-17 16:23:28 -04:00
|
|
|
issuer, issuer_key, digest)
|
|
|
|
crl = OpenSSL::X509::CRL.new
|
2004-05-21 14:25:25 -04:00
|
|
|
crl.issuer = issuer.subject
|
2004-05-17 16:23:28 -04:00
|
|
|
crl.version = 1
|
|
|
|
crl.last_update = lastup
|
|
|
|
crl.next_update = nextup
|
2008-04-20 18:32:06 -04:00
|
|
|
revoke_info.each{|rserial, time, reason_code|
|
2004-05-17 16:23:28 -04:00
|
|
|
revoked = OpenSSL::X509::Revoked.new
|
2008-04-20 18:32:06 -04:00
|
|
|
revoked.serial = rserial
|
2004-05-17 16:23:28 -04:00
|
|
|
revoked.time = time
|
|
|
|
enum = OpenSSL::ASN1::Enumerated(reason_code)
|
|
|
|
ext = OpenSSL::X509::Extension.new("CRLReason", enum)
|
|
|
|
revoked.add_extension(ext)
|
|
|
|
crl.add_revoked(revoked)
|
|
|
|
}
|
|
|
|
ef = OpenSSL::X509::ExtensionFactory.new
|
|
|
|
ef.issuer_certificate = issuer
|
|
|
|
ef.crl = crl
|
|
|
|
crlnum = OpenSSL::ASN1::Integer(serial)
|
|
|
|
crl.add_extension(OpenSSL::X509::Extension.new("crlNumber", crlnum))
|
|
|
|
extensions.each{|oid, value, critical|
|
|
|
|
crl.add_extension(ef.create_extension(oid, value, critical))
|
|
|
|
}
|
|
|
|
crl.sign(issuer_key, digest)
|
|
|
|
crl
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_subject_key_id(cert)
|
|
|
|
asn1_cert = OpenSSL::ASN1.decode(cert)
|
|
|
|
tbscert = asn1_cert.value[0]
|
|
|
|
pkinfo = tbscert.value[6]
|
|
|
|
publickey = pkinfo.value[1]
|
|
|
|
pkvalue = publickey.value
|
|
|
|
OpenSSL::Digest::SHA1.hexdigest(pkvalue).scan(/../).join(":").upcase
|
|
|
|
end
|
2010-08-19 04:22:31 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
def openssl?(major = nil, minor = nil, fix = nil, patch = 0)
|
|
|
|
return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL")
|
|
|
|
return true unless major
|
|
|
|
OpenSSL::OPENSSL_VERSION_NUMBER >=
|
|
|
|
major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10
|
2010-08-19 04:22:31 -04:00
|
|
|
end
|
2011-06-21 23:40:08 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
def libressl?(major = nil, minor = nil, fix = nil)
|
|
|
|
version = OpenSSL::OPENSSL_VERSION.scan(/LibreSSL (\d+)\.(\d+)\.(\d+).*/)[0]
|
|
|
|
return false unless version
|
|
|
|
!major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0
|
2016-05-18 00:07:47 -04:00
|
|
|
end
|
2017-09-03 08:35:27 -04:00
|
|
|
end
|
2016-05-18 00:07:47 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
class OpenSSL::TestCase < Test::Unit::TestCase
|
|
|
|
include OpenSSL::TestUtils
|
|
|
|
extend OpenSSL::TestUtils
|
2011-06-21 23:40:08 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
def setup
|
|
|
|
if ENV["OSSL_GC_STRESS"] == "1"
|
|
|
|
GC.stress = true
|
2011-06-21 23:40:08 -04:00
|
|
|
end
|
2017-09-03 08:35:27 -04:00
|
|
|
end
|
2011-06-21 23:40:08 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
def teardown
|
|
|
|
if ENV["OSSL_GC_STRESS"] == "1"
|
|
|
|
GC.stress = false
|
2011-06-21 23:40:08 -04:00
|
|
|
end
|
2017-09-03 08:35:27 -04:00
|
|
|
# OpenSSL error stack must be empty
|
|
|
|
assert_equal([], OpenSSL.errors)
|
|
|
|
end
|
|
|
|
end
|
2011-06-21 23:40:08 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
class OpenSSL::SSLTestCase < OpenSSL::TestCase
|
|
|
|
RUBY = EnvUtil.rubybin
|
|
|
|
ITERATIONS = ($0 == __FILE__) ? 100 : 10
|
|
|
|
|
|
|
|
def setup
|
|
|
|
super
|
|
|
|
@ca_key = Fixtures.pkey("rsa2048")
|
|
|
|
@svr_key = Fixtures.pkey("rsa1024")
|
|
|
|
@cli_key = Fixtures.pkey("rsa2048")
|
|
|
|
@ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
|
|
|
|
@svr = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
|
|
|
|
@cli = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
|
|
|
|
ca_exts = [
|
|
|
|
["basicConstraints","CA:TRUE",true],
|
|
|
|
["keyUsage","cRLSign,keyCertSign",true],
|
|
|
|
]
|
|
|
|
ee_exts = [
|
|
|
|
["keyUsage","keyEncipherment,digitalSignature",true],
|
|
|
|
]
|
|
|
|
@ca_cert = issue_cert(@ca, @ca_key, 1, ca_exts, nil, nil)
|
|
|
|
@svr_cert = issue_cert(@svr, @svr_key, 2, ee_exts, @ca_cert, @ca_key)
|
|
|
|
@cli_cert = issue_cert(@cli, @cli_key, 3, ee_exts, @ca_cert, @ca_key)
|
|
|
|
@server = nil
|
|
|
|
end
|
2011-06-21 23:40:08 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
def tls12_supported?
|
|
|
|
ctx = OpenSSL::SSL::SSLContext.new
|
|
|
|
ctx.min_version = ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
|
|
|
|
true
|
|
|
|
rescue
|
|
|
|
end
|
2011-06-21 23:40:08 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
def readwrite_loop(ctx, ssl)
|
|
|
|
while line = ssl.gets
|
|
|
|
ssl.write(line)
|
2011-06-21 23:40:08 -04:00
|
|
|
end
|
2017-09-03 08:35:27 -04:00
|
|
|
end
|
2011-06-21 23:40:08 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
def start_server(verify_mode: OpenSSL::SSL::VERIFY_NONE, start_immediately: true,
|
|
|
|
ctx_proc: nil, server_proc: method(:readwrite_loop),
|
|
|
|
ignore_listener_error: false, &block)
|
|
|
|
IO.pipe {|stop_pipe_r, stop_pipe_w|
|
|
|
|
store = OpenSSL::X509::Store.new
|
|
|
|
store.add_cert(@ca_cert)
|
|
|
|
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
|
|
|
|
ctx = OpenSSL::SSL::SSLContext.new
|
|
|
|
ctx.cert_store = store
|
|
|
|
ctx.cert = @svr_cert
|
|
|
|
ctx.key = @svr_key
|
|
|
|
ctx.tmp_dh_callback = proc { Fixtures.pkey_dh("dh1024") }
|
|
|
|
ctx.verify_mode = verify_mode
|
|
|
|
ctx_proc.call(ctx) if ctx_proc
|
|
|
|
|
|
|
|
Socket.do_not_reverse_lookup = true
|
|
|
|
tcps = TCPServer.new("127.0.0.1", 0)
|
|
|
|
port = tcps.connect_address.ip_port
|
|
|
|
|
|
|
|
ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
|
|
|
|
ssls.start_immediately = start_immediately
|
|
|
|
|
|
|
|
threads = []
|
|
|
|
begin
|
|
|
|
server_thread = Thread.new do
|
2017-12-15 03:19:32 -05:00
|
|
|
if Thread.method_defined?(:report_on_exception=) # Ruby >= 2.4
|
|
|
|
Thread.current.report_on_exception = false
|
|
|
|
end
|
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
begin
|
|
|
|
loop do
|
|
|
|
begin
|
|
|
|
readable, = IO.select([ssls, stop_pipe_r])
|
|
|
|
break if readable.include? stop_pipe_r
|
|
|
|
ssl = ssls.accept
|
|
|
|
rescue OpenSSL::SSL::SSLError, IOError, Errno::EBADF, Errno::EINVAL,
|
|
|
|
Errno::ECONNABORTED, Errno::ENOTSOCK, Errno::ECONNRESET
|
|
|
|
retry if ignore_listener_error
|
|
|
|
raise
|
|
|
|
end
|
|
|
|
|
|
|
|
th = Thread.new do
|
2017-12-15 03:19:32 -05:00
|
|
|
if Thread.method_defined?(:report_on_exception=)
|
|
|
|
Thread.current.report_on_exception = false
|
|
|
|
end
|
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
begin
|
|
|
|
server_proc.call(ctx, ssl)
|
|
|
|
ensure
|
|
|
|
ssl.close
|
|
|
|
end
|
|
|
|
true
|
|
|
|
end
|
|
|
|
threads << th
|
2014-11-01 10:12:11 -04:00
|
|
|
end
|
2017-09-03 08:35:27 -04:00
|
|
|
ensure
|
|
|
|
tcps.close
|
2014-11-01 10:53:32 -04:00
|
|
|
end
|
2017-09-03 08:35:27 -04:00
|
|
|
end
|
2011-06-21 23:40:08 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
client_thread = Thread.new do
|
2017-12-15 03:19:32 -05:00
|
|
|
if Thread.method_defined?(:report_on_exception=)
|
|
|
|
Thread.current.report_on_exception = false
|
|
|
|
end
|
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
begin
|
|
|
|
block.call(port)
|
|
|
|
ensure
|
|
|
|
# Stop accepting new connection
|
|
|
|
stop_pipe_w.close
|
|
|
|
server_thread.join
|
2014-11-01 09:10:37 -04:00
|
|
|
end
|
2011-06-21 23:40:08 -04:00
|
|
|
end
|
2017-09-03 08:35:27 -04:00
|
|
|
threads.unshift client_thread
|
|
|
|
ensure
|
|
|
|
# Terminate existing connections. If a thread did 'pend', re-raise it.
|
|
|
|
pend = nil
|
|
|
|
threads.each { |th|
|
|
|
|
begin
|
|
|
|
th.join(10) or
|
|
|
|
th.raise(RuntimeError, "[start_server] thread did not exit in 10 secs")
|
|
|
|
rescue (defined?(MiniTest::Skip) ? MiniTest::Skip : Test::Unit::PendedError)
|
|
|
|
# MiniTest::Skip is for the Ruby tree
|
|
|
|
pend = $!
|
|
|
|
rescue Exception
|
|
|
|
end
|
|
|
|
}
|
|
|
|
raise pend if pend
|
|
|
|
assert_join_threads(threads)
|
|
|
|
end
|
|
|
|
}
|
2011-06-21 23:40:08 -04:00
|
|
|
end
|
2017-09-03 08:35:27 -04:00
|
|
|
end
|
2011-06-21 23:40:08 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
class OpenSSL::PKeyTestCase < OpenSSL::TestCase
|
|
|
|
def check_component(base, test, keys)
|
|
|
|
keys.each { |comp|
|
|
|
|
assert_equal base.send(comp), test.send(comp)
|
|
|
|
}
|
|
|
|
end
|
2016-08-29 01:47:09 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
def dup_public(key)
|
|
|
|
case key
|
|
|
|
when OpenSSL::PKey::RSA
|
|
|
|
rsa = OpenSSL::PKey::RSA.new
|
|
|
|
rsa.set_key(key.n, key.e, nil)
|
|
|
|
rsa
|
|
|
|
when OpenSSL::PKey::DSA
|
|
|
|
dsa = OpenSSL::PKey::DSA.new
|
|
|
|
dsa.set_pqg(key.p, key.q, key.g)
|
|
|
|
dsa.set_key(key.pub_key, nil)
|
|
|
|
dsa
|
|
|
|
when OpenSSL::PKey::DH
|
|
|
|
dh = OpenSSL::PKey::DH.new
|
|
|
|
dh.set_pqg(key.p, nil, key.g)
|
|
|
|
dh
|
|
|
|
else
|
|
|
|
if defined?(OpenSSL::PKey::EC) && OpenSSL::PKey::EC === key
|
|
|
|
ec = OpenSSL::PKey::EC.new(key.group)
|
|
|
|
ec.public_key = key.public_key
|
|
|
|
ec
|
2016-08-29 01:47:09 -04:00
|
|
|
else
|
2017-09-03 08:35:27 -04:00
|
|
|
raise "unknown key type"
|
2016-08-29 01:47:09 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2017-09-03 08:35:27 -04:00
|
|
|
end
|
2016-08-29 01:47:09 -04:00
|
|
|
|
2017-09-03 08:35:27 -04:00
|
|
|
end
|